ECE 448 – FPGA and ASIC Design with VHDL George Mason University

ECE 448: Lab 2

Implementing Sequential Logic in VHDL

Part 1: Introduction to Experiment 2:

Stream Cipher Trivium

Part 2: Example: Programmable LFSR-based

Pseudorandom Number Generator

Part 3: Hands-on Session:

Simulation using ModelSim

Agenda for today

Part 1

Introduction to Experiment 2

Stream Cipher Trivium

Secret-Key Ciphers

key of Alice and Bob - KABkey of Alice and Bob - KAB

Alice Bob

Network

Encryption Decryption

Cipher

Message / Ciphertext

Ciphertext / Message

CryptographicKey

m bits

m bits

k bits

Encrypt/Decrypt

1 bit

Block vs. stream ciphers

Stream cipher

memoryBlock cipher

KK

M1, M2, …, Mn m1, m2, …, mn

C1, C2, …, Cn c1, c2, …, cn

Ci=fK(Mi) ci = fK(mi, mi-1, …, m2, m1)

Every block of ciphertext is a function of only one

corresponding block of plaintext

Every block of ciphertext is a function of the current and

all proceeding blocks of plaintext

Typical stream cipher

Sender Receiver

PseudorandomKeyGenerator

mi

plaintext

ci

ciphertext

kikeystream

Key - KInitialization Vector - IV

PseudorandomKeyGenerator

mi

plaintext

ci

ciphertext

ki keystream

Key - K InitializationVector - IV

Example

ci = mi ki

mi

ki

ci

011101101010010101101011101110111011010111011010101011011111111000011

message

keystream

ciphertext

mi = ci ki

ci

ki

mi

101010110111111110000111101110111011010111011001110110101001010110101

ciphertext

keystream

message

Common Building Blocks ofPseudorandom Key Generators

• Linear Feedback Shift Register (LFSR)

• Non-linear Feedback Shift Register (NFSR)

LFSR = Linear Feedback Shift Register Example of a simple 5-stage LFSR

si si+1 si+2 si+3 si+4 si+5

si+5 = si + si+1 + si+3

+ is used to denote XOR

Notation:

1 register stage = D flip-flop

NFSR = Non-Linear Feedback Shift Register Example of a simple 5-stage NFSR

bi bi+1 bi+2 bi+3 bi+4 bi+5

bi+5 = bibi+1 + bi+3

+ is used to denote XORbmbn is used to denote bm AND bn

eSTREAM - Contest for a new stream cipher standard, 2004-2008

PROFILE 1

• Stream cipher suitable for software implementations optimized for high speed• Minimum key size - 128 bits• Initialization vector – 64 bits or 128 bits

PROFILE 2

• Stream cipher suitable for hardware implementations with limited memory, number of gates, or power supply• Minimum key size - 80 bits• Initialization vector – 32 bits or 64 bits

One of the 3 winners of the contest 80 Bit Key and IV Hardware Oriented Very simple (“trivial”) internal structure Parallelizable up to 64 bits/clock cycle

Trivium Stream Cipher

Trivium – Internal Structure

t3

t2

t1

s91s92

s171

s175s176

s264

s286s287s69

Shift Register

AND

XOR

u3

u1

u2

Pseudocode of the Keystream Generation

for i = 1 to N do

t1 ← s66 + s93

t2 ← s162 + s177

t3 ← s243 + s288

zi ← t1 + t2 + t3

u1 ← t1 + s91 · s92 + s171

u2 ← t2 + s175 · s176 + s264

u3 ← t3 + s286 · s287 + s69

(s1, s2, ... , s93) ← (u3, s1, ... , s92)

(s94, s95, ... , s177) ← (u1, s94 , ... , s176)

(s178, s279 , ... , s288) ← (u2, s178 , ... , s287)

end for

Initialization

• Key is placed in registers s1-s80

• IV is placed in registers s94-174

• Remaining bits are 0 except for 286-288 which are 1

• Run for 4 complete cycles discarding keystream

Pseudocode of the Initialization

Requested Interface & Control Unit

Extra Credit

Parallelized Architecture of Trivium

Parallelization of Trivium

Approach:

• Duplicate logic in feedback loops

(XOR and AND gates)

• Shift by two (or more) positions per clock cycle

Goal:

• Encrypt two (or more) bits of a message per clock cycle

• Requires generating two (or more) bits of the corresponding keystream per clock cycle

Pseudocode of the Keystream Generationin a parallelized version of Trivium

A 2-bit output per clock cyclefor i = 1 to N/2 dot1 <- s66 + s93 t2 <- s162 + s177t3 <- s243 + s288

t1_1 <- s65 + s92 t2_1 <- s161 + s176t3_1 <- s242 + s287

zi <- (t1 + t2 + t3) || (t1_1 + t2_1 + t3_1)

u1 <- t1 + s91 + s92 + s171u2 <- t1 + s175 + s176 + s264u3 <- t1 + s286 + s287 + s69

u1_1 <- t1_1 + s90 + s91 + s170u2_1 <- t2_1 + s174 + s175 + s263u3_1 <- t3_1 + s285 + s286 + s68

(s1,s2,...,s93) <- (u3_1,u3,s1,...,s91) (s94,s95,...,s177) <- (u1_1,u1,s94,...,s175) (s178,s279,...,s288) <- (u2_1,u2,s178,...,s286) end for

Part 2

Example:

Programmable LFSR-based

Pseudorandom

Number Generator

c0c1cL-2cL-1

sin

Current_state

LFSR with the Programmable Feedback Logic

See source codes available on the lab web page

Part 3

Hands-on Session

on Simulation using ModelSim