Implementation on FPGA - 2024.2 English

Vitis Libraries

Document ID
XD160
Release Date
2024-11-29
Version
2024.2 English

The GCM mode including both encryption and decryption parts is supported in this implementation.

Attention

The bit-width of the interfaces provided is shown as follows:

  payload lenPld AAD lenAAD IV cipherkey cipher lenCph tag
GCM-AES128 128 64 128 64 96 128 128 64 128
GCM-AES192 128 64 128 64 96 192 128 64 128
GCM-AES256 128 64 128 64 96 256 128 64 128

Caution

Applicable conditions:

1. The bit-width of initialization vector must be precisely 96 as recommended in the standard to promote interoperability, efficiency, and simplicity of the design.

1.The MAC value instead of a FAIL flag in decryption part is provided, therefore, take care of the MAC, which is given by the encryption part to judge the authenticity of the data. If the data is authentic, the MACs should be equal.

The algorithm flow chart of encryption part of GCM mode is shown below:

algorithm flow chart of GCM_encryption

As seen from the chart, the GCM encryption part can be divided into two individual parts: The Counter Mode (CTR) and The Galois Message Authentication Code (GMAC). GCM is used to encrypt the plaintext to ciphertext, and GMAC is used to generate the MAC. The algorithm flow chart of decryption part of GCM mode is shown as follows:

algorithm flow chart of GCM_decryption

The decryption part is very similar with the encryption part of GCM mode. The only difference is that the ciphertext to plaintext is decrypted in the decryption part.

The internal structure of both encryption and decryption parts of GCM is shown in the following figures:

internal structure of GCM internal structure of GCM

In the implementation, the encryption part of GCM mode has two modules, which are aesGctrEncrypt and genGMAC. Use the first two iterations in aesGctrEncrypt to calculate the hash subkey (H) and E(K,Y0), and pass them onto the genGMAC module through streams in dataflow region instead of implementing the AES block cipher in genGMAC to save the resources. As the two modules can work independently, they are designed into parallel dataflow processes, and connected by streams (FIFOs). The decryption part can be deduced in the same way, the only difference is that the ciphertext and its length streams, which are fed to genGMAC, are directly taken from the input ports.