Cryptographic Accelerator Design: Dedicated Hardware for AES/RSA/ECC/SHA — specialized MAC engines and multipliers for symmetric/asymmetric encryption enabling Gbps throughput and TLS protocol acceleration
AES Hardware Engine
- Cipher Block Size: 128-bit block, operates on 4×4 byte state matrix, 10/12/14 rounds (AES-128/192/256)
- Round Operations: SubBytes (byte substitution), ShiftRows (transpose), MixColumns (GF(2^8) mixing), AddRoundKey (XOR with round key)
- Pipelined Implementation: 1 round per cycle (10-14 cycles for encryption), high throughput (10-100 Gbps at 1-10 GHz)
- Modes of Operation: ECB/CBC (sequential), CTR/GCM (parallel), hardware supports multiple modes via mode-specific control logic
- GCM Mode: authenticated encryption (AES-CTR + GHASH), GHASH operates in GF(2^128) (polynomial multiplication), critical for TLS 1.3
AES-GCM Throughput
- GCM Bottleneck: GHASH sequential (1 128-bit polynomial multiply per block), limits throughput vs CTR parallelism
- Fast GHASH: karatsuba multiplication (3 multiplies instead of 4), precomputed lookup tables, 1-2 cycles per block achievable
- 1400 Gbps Target: modern accelerators achieve 1.4 TB/s (AES-256-GCM), assuming 1 byte/cycle throughput
RSA/ECC Public-Key Accelerator
- RSA Encryption: C = M^e mod N (public exponent operation), requires modular exponentiation (large exponent, typically e=65537)
- RSA Decryption: M = C^d mod N (private exponent d typically 1024-2048 bits), computationally intensive
- Montgomery Multiplier: core building block, computes A×B mod N efficiently (no division), pipelined for speed
- Modular Exponentiation: binary exponentiation (square-multiply algorithm), 1500-2000 modmuls for 2048-bit exponent (@ 50-200 ns/modmul = 100-400 µs per RSA)
ECC Hardware Acceleration
- ECDSA Signature: point multiplication (k×P), requires ~256 point additions (P256 curve), 100-1000 µs per signature (CPU-based ~10 ms)
- Curve Types: NIST curves (P-256, P-384, P-521), Curve25519/Curve448 (emerging), all supported by modern accelerators
- Point Operations: point addition (A+B), point doubling (2A), both require modular inversion (100-1000 cycles via extended Euclidean algorithm)
- Accelerator Design: dedicated adder/multiplier for field arithmetic, pipelined point doubling
SHA Hash Engine
- SHA-256: 256-bit digest, 512-bit message block, 64 rounds per block, sequential round processing
- SHA-3: Keccak permutation (1600-bit state), 24 rounds (vs SHA-256 64 rounds), higher throughput potential (parallelizable rounds)
- Pipelined SHA: simultaneous processing of multiple blocks (SHA-256 block 2 has same throughput as block 1 if pipelined), 10+ GB/s throughput
- HMAC: hash-based MAC (SHA(key XOR opad, SHA(key XOR ipad, msg))), two hash operations sequential (limited pipeline benefit)
TRNG (True Random Number Generator)
- Entropy Source: thermal noise (resistor Johnson noise), oscillator jitter, metastability
- Von Neumann Corrector: post-processor corrects biased entropy source (independent random bits), removes correlation
- NIST DRBG: deterministic random bit generator (seeded with entropy), provides cryptographic RNG (HMAC-DRBG, CTR-DRBG)
- Throughput: 1 Mbps typical for dedicated TRNG, sufficient for key generation + seed replenishment
Post-Quantum Cryptography (PQC) Hardware
- CRYSTALS-Kyber: lattice-based KEM (key encapsulation), polynomial multiplication over Z_q (q=3329), 1024-bit key, ~0.5 ms software (CPU)
- CRYSTALS-Dilithium: lattice-based signature, polynomial-ring operations, Gaussian sampling challenging to accelerate
- Hardware Acceleration: dedicated modular multiplier (mod q), polynomial multiplier, achieves 10-100 µs KEM key generation
- Constraints: larger keys (2.3 kB Kyber, vs 96 B ECDSA), larger ciphertexts, integrate gradually into TLS stacks
Protocol Offload (TLS/IPsec)
- TLS Offload: accelerator executes record-layer encryption (AES-GCM), reduces CPU load (offload ~80% CPU for HTTPS)
- IPsec Offload: encrypt/authenticate IP packets inline (AES-GCM + SHA-256), enables 1-10 Gbps throughput on standard CPU
- Handshake: RSA/ECDSA/ECDH operations in handshake (100-1000 ms total), accelerator speeds server handshake
- Session Key Derivation: HKDF or PRF (pseudo-random function), lower priority (not data-path bottleneck)
Performance Characteristics
- AES-256: 1-10 Gbps throughput, 100-200 mW power (energy efficiency ~10-50 pJ/byte)
- RSA-2048 Signature: 100-400 µs (vs 10-100 ms software), 500 mW peak power
- ECDSA-P256 Signature: 100-500 µs (vs 5-50 ms software), 300 mW peak power
- SHA-256: 1-10 Gbps, 50-100 mW power
Area and Power Trade-offs
- Unrolled Pipeline: deeper unrolling (multiple rounds/cycles) increases throughput but area/power grows quadratically
- Shared Multiplier: single multiplier (RSA+ECC+SHA share) saves area (20-30% area reduction), reduces peak throughput slightly
- Thermal Management: high-power cryptographic operations (RSA, ECC) generate heat, requires thermal throttling or cooling
Integration in SoC
- Memory Hierarchy: accelerator attached to system memory (DDR/HBM), key/data loaded via DMA
- Interrupt Handling: operation completion signaled via interrupt (CPU processes result), or polling (CPU waits)
- Power Saving: accelerator enters sleep when idle (low-power mode), reduces standby power
Future Roadmap: PQC hardware standardization ongoing (NIST finalists), hybrid classical+PQC expected by 2025-2030, standardized PQC ISA extensions (ARM, RISC-V) emerging.