Cryptography IP (AES Core) Wiki

Published by admin on 02-05-2020 at 6:47 am
Last updated on 07-12-2025 at 5:41 am

Cryptography IP refers to pre-designed, reusable hardware blocks that implement cryptographic algorithms and security protocols within integrated circuits (ICs), System-on-Chip (SoC), microcontrollers (MCUs), and FPGA-based systems. These IP blocks accelerate cryptographic operations, secure communications, protect data, and ensure the integrity and confidentiality of digital systems.

Cryptographic IP is a cornerstone of trusted computing, especially in applications involving secure boot, payment systems, digital rights management (DRM), embedded security, automotive ECUs, and edge AI devices.


Overview

  • Purpose: Accelerate and securely execute cryptographic functions in hardware

  • Used in: SoCs, ASICs, FPGAs, smartcards, trusted platform modules (TPMs)

  • Form factors: Soft IP (RTL), hard IP (GDSII), or firmware-assisted co-processors

  • Complies with: Standards like NIST, ISO, FIPS 140, PSA Certified, Common Criteria


Categories of Cryptography IP

1. Symmetric Cryptography

  • Algorithms: AES, DES, Triple-DES, ChaCha20, SM4

  • Use cases: Secure storage, VPNs, encrypted memory, disk encryption

  • IP Examples:

    • AES-128/256 cores (ECB, CBC, GCM modes)

    • High-throughput AES pipeline cores (up to 100 Gbps+)

    • Low-power, resource-constrained AES for IoT


2. Asymmetric Cryptography

  • Algorithms: RSA, ECC, Ed25519, ECDSA, ElGamal

  • Use cases: Secure boot, digital signatures, TLS/SSL, blockchain wallets

  • IP Examples:

    • RSA up to 4096-bit key support

    • ECC cores (NIST, Brainpool, Curve25519, SM2)

    • Hardware accelerators for signature verification


3. Hashing and Message Authentication

  • Algorithms: SHA-1, SHA-2, SHA-3, HMAC, BLAKE2, SM3

  • Use cases: Data integrity, password hashing, MACs, secure boot

  • IP Examples:

    • SHA-256/512 engines

    • Keccak (SHA-3) implementations

    • HMAC engines with pre-integrated keys


4. Random Number Generators

  • Types: TRNG (True Random Number Generator), DRBG (Deterministic RNG)

  • Use cases: Key generation, entropy provisioning, nonces

  • IP Examples:

    • FIPS-compliant TRNGs based on ring oscillators, jitter

    • Entropy mixing logic and health checks

    • DRBGs (e.g., CTR_DRBG, HMAC_DRBG)


5. Public Key Infrastructure (PKI) Acceleration

  • Protocols: TLS, IPsec, IKE, DTLS, SSH, S/MIME

  • IP Features:

    • Modular exponentiation

    • Elliptic curve point arithmetic

    • Certificate parsing (in some high-level crypto cores)


6. Post-Quantum Cryptography (Emerging)

  • NIST PQC Candidates: CRYSTALS-Kyber, Dilithium, Falcon

  • Use cases: Quantum-resilient authentication and encryption

  • Status: IP vendors are beginning to offer PQC-ready cores or hybrid implementations


Security Standards Compliance

Standard Purpose
FIPS 140-2/3 U.S. government crypto module certification
Common Criteria (CC) Global product security evaluation
ISO/IEC 18033 International crypto algorithm standardization
NIST SP 800 Series Guidelines for RNG, crypto strength, and key management
PSA Certified IoT device security and crypto IP trustworthiness
EMVCo / PCI Secure payment system crypto compliance

Vendors and Providers of Crypto IP

Vendor Notable Crypto IP Features
Rambus Full crypto suite including FIPS-compliant TRNGs, AES, RSA, ECC
Synopsys DesignWare cryptography accelerators, security subsystems
Cadence Crypto cores with low-latency MAC/ENC/DEC support
Arctic Sand / Secure-IC Hardware root of trust (RoT), tamper resistance
Silex Insight Flexible crypto IPs with secure key management
CryptoQuantique Quantum-driven secure entropy sources
OpenTitan Open-source root of trust including AES, SHA, HMAC, ECC
SiFive Secure RISC-V cores with crypto extensions

Integration in SoCs and Secure Systems

Cryptographic IP is typically integrated in:

  • Secure Subsystems: Hardware Root of Trust, Secure Enclave

  • Trusted Execution Environments (TEE): e.g., Arm TrustZone, Keystone (RISC-V)

  • Secure Boot Chains: From ROM code through verified OS launch

  • IoT Devices: Device attestation, TLS/DTLS endpoints

  • Automotive ECUs: Secure CAN, secure OTA updates


Design Considerations

Concern Notes
Area and Power Trade-offs Important in IoT and wearables
Latency vs Throughput TLS handshake vs real-time media encryption
Side-Channel Resistance Prevent timing, power, and EM attacks
Secure Key Storage Integration with PUFs, OTP, or secure SRAM
Compliance Requirements FIPS validation may restrict design flexibility

Verification and Validation

  • Functional Verification: Test against known-answer tests (KATs)

  • Formal Verification: Applied to critical modules (e.g., RSA core)

  • Security Testing:

    • Fault injection resistance

    • Differential power analysis (DPA) resistance

    • Randomness quality for TRNGs (NIST SP 800-90B)


Emerging Trends

  • Post-Quantum Cryptography IP adoption (hybrid RSA+Kyber)

  • Lightweight Crypto IPs for ultra-low-power SoCs (e.g., ASCON, SPECK)

  • Crypto-as-a-Service using IP-managed secure enclaves

  • Open-source crypto IPs under active development for RISC-V and edge platforms

  • Hardware Security Modules (HSM) integration in edge and automotive SoCs

Share this post via:

Comments

There are no comments yet.

You must register or log in to view/post comments.