1. Team W1 Design Manager: Rebecca Miller 1. Bobby Colyer (W11) 2. Jeffrey Kuo (W12) 3. Myron Kwai (W13) 4. Shirlene Lim (W14) Stage XII: April 28 th 2004 FINAL PRESENTATION Final Presentation: Rijndael Encryption Code Name: RD525 Overall Project Objective: Implement the new AES Rijndael algorithm on chip 18-525 Integrated Circuit Design Project

2. Presentation Outline Project Description – What’s Rijndael anyway? (Shirlene) Behavioral/Algorithmic Description – How does it work? (Shirlene) Marketing – Why do you care? (Jeff) Design Process – What did we do to get where we are now? (Jeff) Floorplan Evolution – How we did we get from ugly to pretty? (Myron) Issues Encountered – What made us want to rip our hair out? (Myron) Layout – What does our chip look like? (Myron) Verification – Are we sure it works? (Bobby) Specifications – What’s in our chip? (Bobby) Conclusions – Did we really learn anything? (Bobby) 18-525 Integrated Circuit Design Project

3. Project Description 18-525 Integrated Circuit Design Project

4. Project Description Objective: To implement the AES Encryption Standard (Rijndael) encoder into hardware For use in non-portable systems Desktop Computers and Servers Complementary chip to ethernet cards/motherboards Goals: 1:1 Aspect Ratio (Nice ‘n square!) Small chip size Speed Throughput 18-525 Integrated Circuit Design Project

5. Rijndael Overview Rijndael was one of the finalists to be the new Advanced Encryption Standard (AES) standard, and was selected by the National Institute of Standards and Technology (NIST) to replace the old Data Encryption Standard (DES) in October 2000. 18-525 Integrated Circuit Design Project This picture was taken from the Rijndael main page (http://www.esat.kuleuven.ac.be/~rijmen/rijndael/). No, we’re not that crazy…yet…http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ “Because of Rijndael's selection as AES, we have been selected as (Flemish) personalities of the year 2000. As a consequence, we were rewarded with the piece of art you see on the right. The coloured specks on the skull and the bones are in fact the shields of a rare beetle. Some people say it symbolizes the DES (bird) being replaced by the AES (skull).”

6. Behavioral/Algorithmic Description 18-525 Integrated Circuit Design Project

7. Our Algorithm Description 18-525 Integrated Circuit Design Project KeyAdd ByteSubShiftRowMixColumnKeyAdd ByteSubShiftRowKeyAdd Cipher Key Plain Text Round Key Cipher Text RoundKey FINAL ROUND EXECUTE 4 ROUNDS INITIAL ROUND Adding cipher key to plain text Lookup S-BOX & substitute values of matrix Second row shifted - Basically hardcoded by rewiring 3B 4D 1F2E 2B1C 3A4F 2B1C 3A4F 3A Each column XORed with values from the key schedule Each column added with Round Keys Lookup S-BOX & substitute values of matrix Second row shifted - Basically hardcoded by rewiring Each column added with Round Keys

8. Where’s the Flow of Data Go? DFFs for Valid Out Add Round Key Clock Divider Round Permutations and Pipeline DFFs Key Expands and Pipeline DFFs Mux Tree In Mux Tree Out Mux Tree In Mux Tree Out Final Text Out Final Text DFFs Input DFFs Select Logic Data Key

9. Marketing 18-525 Integrated Circuit Design Project

10. Rijndael Overview Why the Advanced Encryption Standard??? To replace current encryption standards Triple DES Why did Rijndael win? Theoretically unbreakable To protect digital information Data, voice, video, and images from attack, impersonation, or eavesdropping SSL Security for Internet Browsers 18-525 Integrated Circuit Design Project

11. Rijndael Overview Why was Rijndael chosen? Put simply, Rijndael has the best of everything: Considering software, hardware, and limited resource environments (Smart- Cards) Rjindael is a fast, simple, and compact algorithm Its simplicity offers implicit protection It offers little information for attackers to use while cracking it. Effective against all types of known attacks: Differential and Linear Cryptanalysis Square Attacks Truncated Differentials Rijndael is the best mixture of simplicity, speed, and protection! 18-525 Integrated Circuit Design Project

12. Rijndael Overview Why Do You Want Rijndael? AES is a standard for a reason IT executives will want AES in their networks Faster encryption with the widest range of devices Standardization has its benefits Reduced prices Greater compatibility Increased flexibility Easily extendable to other key and block lengths for further security 18-525 Integrated Circuit Design Project

13. Rijndael Overview Why the Advanced Encryption Standard??? Vendors will most likely switch to AES because delaying risks exclusion from federal contracts Products compatible with Rijndael and Triple-DES preferred Triple-DES is still a government-approved method Still highly secure and supported by NIST 18-525 Integrated Circuit Design Project AES vs. Triple-DES AESTriple-DES Type of algorithm Symmetric, block cipher Symmetric, feistel cipher Key size (in bits) 128, 192, 256112 or 168 Speed HighLow Time to crack ( assume a machine could try 255 keys per second — NIST ) 149 trillion years4.6 billion years Resource consumption LowMedium NIST standard number FIPS 197FIPS 46-3

14. Why Is Our Chip Cool Why in hardware? Rijndael performs well in software but in hardware… High performance is essential in servers and VPN (Virtual Private Network) applications Multiple S-Box, roundkey XORs, and shifts can be implemented efficiently, rather than being CPU intensive Hardware stores SBox, hard to crack or steal Private keys in software may be copied and attacked offline 18-525 Integrated Circuit Design Project

15. How Will We Sell It? We plan to sell it OEM to manufacturers to directly implement as part of their motherboards or ethernet cards Currently no motherboard manufacturers that we can find offer AES encryption built-in 18-525 Integrated Circuit Design Project

16. Design Process 18-525 Integrated Circuit Design Project

17. Design Process 18-525 Integrated Circuit Design Project Found Behavioral Non-Pipelined Verilog implementation of 128-bit Rijndael Encryption from Rudolf Usselmann http://www.opencores.org/cores/aes_core/ Started with 10, but cut Verilog down to 5 Rounds 10 Rounds required double the transistor count Broke behavioral Verilog modules down to structural code Took out functions, etc. and made them into sub-modules Pipelining – Added pipeline registers More Design Issues

18. Wait… 5 Rounds? 18-525 Integrated Circuit Design Project Our design would have been about 50,000 transistors if we did a 10 round encryption The class specification was to not have a design over 25K Which… we already went over. Although we only have 5 rounds, all the modules are already created and wired up internally Abutment of all the round permutations and key expansions This is the entire middle section of our chip! The outer area of our chip also abuts well Therefore, putting together a 10 round chip is just a little modification and adding interconnects

19. Transistor Estimates 18-525 Integrated Circuit Design Project Presentation 1: 25,300 Transistors (10-Round) Presentation 2: 30,500 Transistors (10-Round) Presentation 3: 26,250 Transistors (10-Round) Presentation 4: 52,275 Transistors (10-Round) 37985 Transistors (10-Round without 3 rd SBox) Presentation 5: 27,278 Transistors (5-Rounds) Presentation 6: 25,237 Transistors (5-Rounds) Presentation 8: 25,296 Transistors (5-Rounds) Final Transistor Count: 25,296 Transistors (5-Rounds)

20. Optimizations Along the Way… XTime (Found in MixCol of RoundPermutations) 18-525 Integrated Circuit Design Project

21. Optimizations Along the Way… XTime (Found in MixCol of RoundPermutations) 18-525 Integrated Circuit Design Project 5XORs * 2 XTime per MixCol * 2 MixCol Per Round * 4 Rounds = 80 XORs

22. Optimizations Along the Way… KeyExpand (The Hardcoded RCON Value) 18-525 Integrated Circuit Design Project

23. Optimizations Along the Way… KeyExpand (The Hardcoded RCON Value) One Row of XORs Eliminated 18-525 Integrated Circuit Design Project 16 XORs per KeyExpand * 5 KeyExpands = 80 XORs

24. Floorplan Evolution 18-525 Integrated Circuit Design Project

25. ROM BLOCK Evolution (10 Rounds) Floorplan Evolution (10 Rounds)

26. Floorplan Evolution (10 Rounds) 18-525 Integrated Circuit Design Project

27. ELIMINATION - Eliminate 5 rounds - Eliminate 1 SBOX & control logic - Reduce transistor count to 27k 18-525 Integrated Circuit Design Project

28. Floorplan Evolution (5 Rounds)

30. Final Layout

31. Issues Encountered 18-525 Integrated Circuit Design Project

32. Issues Encountered 18-525 Integrated Circuit Design Project Verilog –Converting behavioral to structural was just annoying –Pipelining the design required lots of renaming wires and adding registers A single misnamed wire caused a lot of debugging time Schematic –Pipelining: We wired the wrong wires to each stage of the pipeline –Made lots of changes that needed to be verified along the way Layout –Floorplanning: This changed literally every week! –Complexity of Design: Timing Issues, Non-Standard DFFs –Interconnects: Simply too many… SPICE –“No DC path to ground” – Being stupid Typing in wrong filenames for test vectors Wrong time increments Not using the extracted (restarting a simulation that took forever makes us cry) Running out of space for extracting layout –E-mail gripe

33. Layout 18-525 Integrated Circuit Design Project

34. 3 Types of DFFs 18-525 Integrated Circuit Design Project Non-Resetting DFF Non-Resetting DFF with Enable Standard D-FlipFlop

35. Clock Divider 18-525 Integrated Circuit Design Project The Clock Divider creates the slow clock from the fast clock. There are 21 fast clocks in a slow clock, allowing for all 20 reads from the ROM and an extra cycle for propagation of signals. This happens through every stage of the pipeline, which is controlled via the slow clock.

36. ROM, Control Logic, MUXes and Buffers ROM and Control Logic MUXes and Buffers Output Wires

37. Current Floorplan 350 um x 335 um Metal 3 Metal 2 Metal 1 Metal 4 SBOX and Control Logic Text DFFs and Add Round Key 5 th Round Key Expand Input to SBOX Logic & Select Output and Input Logic 4 Rounds of Key Expand 4 Rounds of Round Permutation Input/Output Logic CLK Divider Select & Input Logic SBOX and Control Logic Final Text Out Key DFFs and Input Logic Output DFFS

38. POLY AND ACTIVE

39. METAL 1

40. METAL 2

41. METAL 3

42. METAL 4

43. LVS – ROM and Input Logic and Output DFFs One Round of the encryption process, which abuts to each other round, and also has wires pulled out ready to connect to signals coming from the ROM

44. LVS – Inner Area – AES Key Expand – All 4 stages

45. Full Layout

46. Verification 18-525 Integrated Circuit Design Project

47. FIPS Test Vectors 18-525 Integrated Circuit Design Project Using FIPS Test Vectors for External Verilog Simulation Verification  FIPS – Federal Information Processing Standards

48. Verilog Re-Verification (5 Round) 18-525 Integrated Circuit Design Project reg [4:0] counterx; always #5 clk = ~clk; initial begin counterx = 0; end always@(posedge clk) begin counterx = counterx + 1; if (counterx == 21) begin counterx = 0; end end initial begin clk = 1'b1; rst = 1'b1; #10 rst = 1'b0; #10 rst =1; @(posedge valid_in); text_in1[31:0] = 32'h00000000; // Expected: 1B3E9EDF key1[31:0] = 32'hFB473859; vin = 1; @(posedge valid_in); key1[31:0] = 32'b00000000000000000000000000000000; text_in1[31:0] = 32'h08f273e6; // Expected: 2DF5C18E vin = 1; @(posedge valid_in); key1[31:0] = 32'h00000000; text_in1[31:0] = 32'h10174E72; // Expected: 87FE42E7 vin = 1; @(posedge valid_in); key1[31:0] = 32'h00000000; text_in1[31:0] = 32'h30C42168; // Expected: 0BD9AFAC vin = 1; @(posedge valid_in); key1[31:0] = 32'h2F764A41; text_in1[31:0] = 32'h00000000; // Expected: 43B28B72 vin = 1; @(posedge valid_in); key1[31:0] = 32'h00000000; text_in1[31:0] = 32'h91f0aca1; // Expected: c913f5ed vin = 1; @(posedge valid_in); key1[31:0] = 32'h851b64d9; text_in1[31:0] = 32'h00000000; // Expected: 30d0299b vin = 1; @(posedge valid_in); key1[31:0] = 32'hc0000000; text_in1[31:0] = 32'h00000000; // Expected: ec4b0b60 vin = 1; @(posedge valid_in); key1[31:0] = 32'hfff80000; text_in1[31:0] = 32'h00000000; // Expected: b3adb97e vin = 1; @(posedge valid_in); key1[31:0] = 32'h00000000; text_in1[31:0] = 32'h9b0cb284; // Expected: 69551ee1 vin = 1; #10000 $finish; end The Result of the Non-Resetting DFFs (Used to be junk values)

49. Top Level Schematic (Used for LVS)

50. SPICE Simulation: Critical Path

51. module aes_sbox(a,d); input[7:0]a; output[7:0]d; reg[7:0]d; always @(a) case(a) 8'h00: d=8'h63; 8'h01: d=8'h7c; 8'h02: d=8'h77; 8'h03: d=8'h7b; 8'h04: d=8'hf2; 8'h05: d=8'h6b; 8'h06: d=8'h6f; 8'h07: d=8'hc5; 8'h08: d=8'h30; 8'h09: d=8'h01; 8'h0a: d=8'h67; 8'h0b: d=8'h2b; 8'h0c: d=8'hfe; 8'h0d: d=8'hd7; 8'h0e: d=8'hab; 8'h0f: d=8'h76; 8'h10: d=8'hca; 8'h11: d=8'h82; 8'h12: d=8'hc9; 8'h13: d=8'h7d; 8'h14: d=8'hfa; 8'h15: d=8'h59; 8'h16: d=8'h47; 8'h17: d=8'hf0; 8'h18: d=8'had; 8'h19: d=8'hd4; 8'h1a: d=8'ha2; 8'h1b: d=8'haf; 8'h1c: d=8'h9c; 8'h1d: d=8'ha4; 8'h1e: d=8'h72; 8'h1f: d=8'hc0; 8'h20: d=8'hb7; 8'h21: d=8'hfd; 8'h22: d=8'h93; 8'h23: d=8'h26; 8'h24: d=8'h36; 8'h25: d=8'h3f; 8'h26: d=8'hf7; 8'h27: d=8'hcc; 8'h28: d=8'h34; 8'h29: d=8'ha5; 8'h2a: d=8'he5; 8'h2b: d=8'hf1; 8'h2c: d=8'h71; 8'h2d: d=8'hd8; 8'h2e: d=8'h31; 8'h2f: d=8'h15; 8'h30: d=8'h04; 8'h31: d=8'hc7; 8'h32: d=8'h23; 8'h33: d=8'hc3; 8'h34: d=8'h18; 8'h35: d=8'h96; 8'h36: d=8'h05; 8'h37: d=8'h9a; 8'h38: d=8'h07; 8'h39: d=8'h12; 8'h3a: d=8'h80; 8'h3b: d=8'he2; 8'h3c: d=8'heb; 8'h3d: d=8'h27; 8'h3e: d=8'hb2; 8'h3f: d=8'h75; 8'h40: d=8'h09; 8'h41: d=8'h83; 8'h42: d=8'h2c; 8'h43: d=8'h1a; 8'h44: d=8'h1b; 8'h45: d=8'h6e; 8'h46: d=8'h5a; 8'h47: d=8'ha0; 8'h48: d=8'h52; 8'h49: d=8'h3b; 8'h4a: d=8'hd6; 8'h4b: d=8'hb3; 8'h4c: d=8'h29; 8'h4d: d=8'he3; 8'h4e: d=8'h2f; 8'h4f: d=8'h84; 8'h50: d=8'h53; 8'h51: d=8'hd1; 8'h52: d=8'h00; 8'h53: d=8'hed; 8'h54: d=8'h20; 8'h55: d=8'hfc; 8'h56: d=8'hb1; 8'h57: d=8'h5b; 8'h58: d=8'h6a; 8'h59: d=8'hcb; 8'h5a: d=8'hbe; 8'h5b: d=8'h39; 8'h5c: d=8'h4a; 8'h5d: d=8'h4c; 8'h5e: d=8'h58; 8'h5f: d=8'hcf; 8'h60: d=8'hd0; 8'h61: d=8'hef; 8'h62: d=8'haa; 8'h63: d=8'hfb; 8'h64: d=8'h43; 8'h65: d=8'h4d; 8'h66: d=8'h33; 8'h67: d=8'h85; 8'h68: d=8'h45; 8'h69: d=8'hf9; 8'h6a: d=8'h02; 8'h6b: d=8'h7f; 8'h6c: d=8'h50; 8'h6d: d=8'h3c; 8'h6e: d=8'h9f; 8'h6f: d=8'ha8; 8'h70: d=8'h51; 8'h71: d=8'ha3; 8'h72: d=8'h40; 8'h73: d=8'h8f; 8'h74: d=8'h92; 8'h75: d=8'h9d; 8'h76: d=8'h38; 8'h77: d=8'hf5; 8'h78: d=8'hbc; 8'h79: d=8'hb6; 8'h7a: d=8'hda; 8'h7b: d=8'h21; 8'h7c: d=8'h10; 8'h7d: d=8'hff; 8'h7e: d=8'hf3; 8'h7f: d=8'hd2; 8'h80: d=8'hcd; 8'h81: d=8'h0c; 8'h82: d=8'h13; 8'h83: d=8'hec; 8'h84: d=8'h5f; 8'h85: d=8'h97; 8'h86: d=8'h44; 8'h87: d=8'h17; 8'h88: d=8'hc4; 8'h89: d=8'ha7; 8'h8a: d=8'h7e; 8'h8b: d=8'h3d; 8'h8c: d=8'h64; 8'h8d: d=8'h5d; 8'h8e: d=8'h19; 8'h8f: d=8'h73; 8'h90: d=8'h60; 8'h91: d=8'h81; 8'h92: d=8'h4f; 8'h93: d=8'hdc; 8'h94: d=8'h22; 8'h95: d=8'h2a; 8'h96: d=8'h90; 8'h97: d=8'h88; 8'h98: d=8'h46; 8'h99: d=8'hee; 8'h9a: d=8'hb8; 8'h9b: d=8'h14; 8'h9c: d=8'hde; 8'h9d: d=8'h5e; 8'h9e: d=8'h0b; 8'h9f: d=8'hdb; 8'ha0: d=8'he0; 8'ha1: d=8'h32; 8'ha2: d=8'h3a; 8'ha3: d=8'h0a; 8'ha4: d=8'h49; 8'ha5: d=8'h06; 8'ha6: d=8'h24; 8'ha7: d=8'h5c; 8'ha8: d=8'hc2; 8'ha9: d=8'hd3; 8'haa: d=8'hac; 8'hab: d=8'h62; 8'hac: d=8'h91; 8'had: d=8'h95; 8'hae: d=8'he4; 8'haf: d=8'h79; 8'hb0: d=8'he7; 8'hb1: d=8'hc8; 8'hb2: d=8'h37; 8'hb3: d=8'h6d; 8'hb4: d=8'h8d; 8'hb5: d=8'hd5; 8'hb6: d=8'h4e; 8'hb7: d=8'ha9; 8'hb8: d=8'h6c; 8'hb9: d=8'h56; 8'hba: d=8'hf4; 8'hbb: d=8'hea; 8'hbc: d=8'h65; 8'hbd: d=8'h7a; 8'hbe: d=8'hae; 8'hbf: d=8'h08; 8'hc0: d=8'hba; 8'hc1: d=8'h78; 8'hc2: d=8'h25; 8'hc3: d=8'h2e; 8'hc4: d=8'h1c; 8'hc5: d=8'ha6; 8'hc6: d=8'hb4; 8'hc7: d=8'hc6; 8'hc8: d=8'he8; 8'hc9: d=8'hdd; 8'hca: d=8'h74; 8'hcb: d=8'h1f; 8'hcc: d=8'h4b; 8'hcd: d=8'hbd; 8'hce: d=8'h8b; 8'hcf: d=8'h8a; 8'hd0: d=8'h70; 8'hd1: d=8'h3e; 8'hd2: d=8'hb5; 8'hd3: d=8'h66; 8'hd4: d=8'h48; 8'hd5: d=8'h03; 8'hd6: d=8'hf6; 8'hd7: d=8'h0e; 8'hd8: d=8'h61; 8'hd9: d=8'h35; 8'hda: d=8'h57; 8'hdb: d=8'hb9; 8'hdc: d=8'h86; 8'hdd: d=8'hc1; 8'hde: d=8'h1d; 8'hdf: d=8'h9e; 8'he0: d=8'he1; 8'he1: d=8'hf8; 8'he2: d=8'h98; 8'he3: d=8'h11; 8'he4: d=8'h69; 8'he5: d=8'hd9; 8'he6: d=8'h8e; 8'he7: d=8'h94; 8'he8: d=8'h9b; 8'he9: d=8'h1e; 8'hea: d=8'h87; 8'heb: d=8'he9; 8'hec: d=8'hce; 8'hed: d=8'h55; 8'hee: d=8'h28; 8'hef: d=8'hdf; 8'hf0: d=8'h8c; 8'hf1: d=8'ha1; 8'hf2: d=8'h89; 8'hf3: d=8'h0d; 8'hf4: d=8'hbf; 8'hf5: d=8'he6; 8'hf6: d=8'h42; 8'hf7: d=8'h68; 8'hf8: d=8'h41; 8'hf9: d=8'h99; 8'hfa: d=8'h2d; 8'hfb: d=8'h0f; 8'hfc: d=8'hb0; 8'hfd: d=8'h54; 8'hfe: d=8'hbb; 8'hff: d=8'h16; endcase

52. SPICE Simulation: Critical Path 0001 0110 = 0x16 0110 0011 = 0x63 0000 0000 = 0x00

53. SPICE Simulation: Right Bus

55. Specifications 18-525 Integrated Circuit Design Project

56. Final Dimensions Total Area: 350 um x 335 um = 117250 sq. um Transistor Count: 25,296 transistors Transistor Density: 0.216 Aspect Ratio: 1.045 Pin Count: 100 pins with 3 optional for connectivity with larger designs –Input: Key 32 pins, Data 32 pins –Output: Data 32 pins –vdd, gnd, clk, rst –Optional Pins: valid_in, valid_out, ready Clock Speed: 350 MHz (fast clock), 16.67 MHz (slow clock) –Throughput: 508 Mbits/sec 32bits x 16.67 MHz / 1024 / 1024 = 508 Mbits/sec Slow Clock = 21 Fast Clocks

57. Conclusions 18-525 Integrated Circuit Design Project

58. Conclusions 18-525 is not to be taken lightly Take easy classes www.addictinggames.com is your friend during simulations, extractions, DRC, LVSwww.addictinggames.com But seriously… Communication is key Documentation of changes Floorplanning, abutment is fundamental Optimization of logic is important Plan buffers in your design initially, not after (fan-out) –You will not have room later! Be as flexible as possible with the design, IT WILL CHANGE

59. Questions? 18-525 Integrated Circuit Design Project Team W1 Is: Bobby Colyer, Jeffrey Kuo Myron Kwai, Shirlene Lim