diff options
author | Joachim StroĢmbergson <joachim@secworks.se> | 2018-05-21 15:35:55 +0200 |
---|---|---|
committer | Joachim StroĢmbergson <joachim@secworks.se> | 2018-05-21 15:35:55 +0200 |
commit | e389761d61a5616add66ce2dacd0f13feb68d1e1 (patch) | |
tree | 2fc3494df24eef6a05d51a478257eebf53760bb6 /src/rtl |
Adding inital version of AES core optimized for performance.
Diffstat (limited to 'src/rtl')
-rw-r--r-- | src/rtl/aes.v | 278 | ||||
-rw-r--r-- | src/rtl/aes_core.v | 339 | ||||
-rw-r--r-- | src/rtl/aes_decipher_block.v | 525 | ||||
-rw-r--r-- | src/rtl/aes_encipher_block.v | 486 | ||||
-rw-r--r-- | src/rtl/aes_inv_sbox.v | 325 | ||||
-rw-r--r-- | src/rtl/aes_key_mem.v | 454 | ||||
-rw-r--r-- | src/rtl/aes_sbox.v | 325 |
7 files changed, 2732 insertions, 0 deletions
diff --git a/src/rtl/aes.v b/src/rtl/aes.v new file mode 100644 index 0000000..0d719d2 --- /dev/null +++ b/src/rtl/aes.v @@ -0,0 +1,278 @@ +//====================================================================== +// +// aes.v +// -------- +// Top level wrapper for the AES block cipher core. +// +// +// Author: Joachim Strombergson +// Copyright (c) 2014, NORDUnet A/S +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// - Redistributions of source code must retain the above copyright notice, +// this list of conditions and the following disclaimer. +// +// - Redistributions in binary form must reproduce the above copyright +// notice, this list of conditions and the following disclaimer in the +// documentation and/or other materials provided with the distribution. +// +// - Neither the name of the NORDUnet nor the names of its contributors may +// be used to endorse or promote products derived from this software +// without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +// IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +// TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +// PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +// TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +//====================================================================== + +module aes( + // Clock and reset. + input wire clk, + input wire reset_n, + + // Control. + input wire cs, + input wire we, + + // Data ports. + input wire [7 : 0] address, + input wire [31 : 0] write_data, + output wire [31 : 0] read_data, + output wire error + ); + + //---------------------------------------------------------------- + // Internal constant and parameter definitions. + //---------------------------------------------------------------- + localparam ADDR_NAME0 = 8'h00; + localparam ADDR_NAME1 = 8'h01; + localparam ADDR_VERSION = 8'h02; + + localparam ADDR_CTRL = 8'h08; + localparam CTRL_INIT_BIT = 0; + localparam CTRL_NEXT_BIT = 1; + + localparam ADDR_STATUS = 8'h09; + localparam STATUS_READY_BIT = 0; + localparam STATUS_VALID_BIT = 1; + + localparam ADDR_CONFIG = 8'h0a; + localparam CTRL_ENCDEC_BIT = 0; + localparam CTRL_KEYLEN_BIT = 1; + + localparam ADDR_KEY0 = 8'h10; + localparam ADDR_KEY7 = 8'h17; + + localparam ADDR_BLOCK0 = 8'h20; + localparam ADDR_BLOCK3 = 8'h23; + + localparam ADDR_RESULT0 = 8'h30; + localparam ADDR_RESULT1 = 8'h31; + localparam ADDR_RESULT2 = 8'h32; + localparam ADDR_RESULT3 = 8'h33; + + localparam CORE_NAME0 = 32'h61657320; // "aes " + localparam CORE_NAME1 = 32'h20202020; // " " + localparam CORE_VERSION = 32'h302e3630; // "0.60" + + + //---------------------------------------------------------------- + // Registers including update variables and write enable. + //---------------------------------------------------------------- + reg init_reg; + reg init_new; + + reg next_reg; + reg next_new; + + reg encdec_reg; + reg keylen_reg; + reg config_we; + + reg [31 : 0] block_reg [0 : 3]; + reg block_we; + + reg [31 : 0] key_reg [0 : 7]; + reg key_we; + + reg [127 : 0] result_reg; + reg valid_reg; + reg ready_reg; + + + //---------------------------------------------------------------- + // Wires. + //---------------------------------------------------------------- + reg [31 : 0] tmp_read_data; + reg tmp_error; + + wire core_encdec; + wire core_init; + wire core_next; + wire core_ready; + wire [255 : 0] core_key; + wire core_keylen; + wire [127 : 0] core_block; + wire [127 : 0] core_result; + wire core_valid; + + + //---------------------------------------------------------------- + // Concurrent connectivity for ports etc. + //---------------------------------------------------------------- + assign read_data = tmp_read_data; + assign error = tmp_error; + + assign core_key = {key_reg[0], key_reg[1], key_reg[2], key_reg[3], + key_reg[4], key_reg[5], key_reg[6], key_reg[7]}; + + assign core_block = {block_reg[0], block_reg[1], + block_reg[2], block_reg[3]}; + assign core_init = init_reg; + assign core_next = next_reg; + assign core_encdec = encdec_reg; + assign core_keylen = keylen_reg; + + + //---------------------------------------------------------------- + // core instantiation. + //---------------------------------------------------------------- + aes_core core( + .clk(clk), + .reset_n(reset_n), + + .encdec(core_encdec), + .init(core_init), + .next(core_next), + .ready(core_ready), + + .key(core_key), + .keylen(core_keylen), + + .block(core_block), + .result(core_result), + .result_valid(core_valid) + ); + + + //---------------------------------------------------------------- + // reg_update + // Update functionality for all registers in the core. + // All registers are positive edge triggered with asynchronous + // active low reset. + //---------------------------------------------------------------- + always @ (posedge clk or negedge reset_n) + begin : reg_update + integer i; + + if (!reset_n) + begin + for (i = 0 ; i < 4 ; i = i + 1) + block_reg[i] <= 32'h0; + + for (i = 0 ; i < 8 ; i = i + 1) + key_reg[i] <= 32'h0; + + init_reg <= 1'b0; + next_reg <= 1'b0; + encdec_reg <= 1'b0; + keylen_reg <= 1'b0; + + result_reg <= 128'h0; + valid_reg <= 1'b0; + ready_reg <= 1'b0; + end + else + begin + ready_reg <= core_ready; + valid_reg <= core_valid; + result_reg <= core_result; + init_reg <= init_new; + next_reg <= next_new; + + if (config_we) + begin + encdec_reg <= write_data[CTRL_ENCDEC_BIT]; + keylen_reg <= write_data[CTRL_KEYLEN_BIT]; + end + + if (key_we) + key_reg[address[2 : 0]] <= write_data; + + if (block_we) + block_reg[address[1 : 0]] <= write_data; + end + end // reg_update + + + //---------------------------------------------------------------- + // api + // + // The interface command decoding logic. + //---------------------------------------------------------------- + always @* + begin : api + init_new = 1'b0; + next_new = 1'b0; + config_we = 1'b0; + key_we = 1'b0; + block_we = 1'b0; + tmp_read_data = 32'h0; + tmp_error = 1'b0; + + if (cs) + begin + if (we) + begin + if (address == ADDR_CTRL) + begin + init_new = write_data[CTRL_INIT_BIT]; + next_new = write_data[CTRL_NEXT_BIT]; + end + + if (address == ADDR_CONFIG) + config_we = 1'b1; + + if ((address >= ADDR_KEY0) && (address <= ADDR_KEY7)) + key_we = 1'b1; + + if ((address >= ADDR_BLOCK0) && (address <= ADDR_BLOCK3)) + block_we = 1'b1; + end // if (we) + + else + begin + case (address) + ADDR_NAME0: tmp_read_data = CORE_NAME0; + ADDR_NAME1: tmp_read_data = CORE_NAME1; + ADDR_VERSION: tmp_read_data = CORE_VERSION; + ADDR_CTRL: tmp_read_data = {28'h0, keylen_reg, encdec_reg, next_reg, init_reg}; + ADDR_STATUS: tmp_read_data = {30'h0, valid_reg, ready_reg}; + + default: + begin + end + endcase // case (address) + + if ((address >= ADDR_RESULT0) && (address <= ADDR_RESULT3)) + tmp_read_data = result_reg[(3 - (address - ADDR_RESULT0)) * 32 +: 32]; + end + end + end // addr_decoder +endmodule // aes + +//====================================================================== +// EOF aes.v +//====================================================================== diff --git a/src/rtl/aes_core.v b/src/rtl/aes_core.v new file mode 100644 index 0000000..5196a1f --- /dev/null +++ b/src/rtl/aes_core.v @@ -0,0 +1,339 @@ +//====================================================================== +// +// aes.core.v +// ---------- +// The AES core. This core supports key size of 128, and 256 bits. +// Most of the functionality is within the submodules. +// +// +// Author: Joachim Strombergson +// Copyright (c) 2014, NORDUnet A/S +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// - Redistributions of source code must retain the above copyright notice, +// this list of conditions and the following disclaimer. +// +// - Redistributions in binary form must reproduce the above copyright +// notice, this list of conditions and the following disclaimer in the +// documentation and/or other materials provided with the distribution. +// +// - Neither the name of the NORDUnet nor the names of its contributors may +// be used to endorse or promote products derived from this software +// without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +// IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +// TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +// PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +// TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +//====================================================================== + +module aes_core( + input wire clk, + input wire reset_n, + + input wire encdec, + input wire init, + input wire next, + output wire ready, + + input wire [255 : 0] key, + input wire keylen, + + input wire [127 : 0] block, + output wire [127 : 0] result, + output wire result_valid + ); + + + + + //---------------------------------------------------------------- + // Internal constant and parameter definitions. + //---------------------------------------------------------------- + localparam CTRL_IDLE = 2'h0; + localparam CTRL_INIT = 2'h1; + localparam CTRL_NEXT = 2'h2; + + + //---------------------------------------------------------------- + // Registers including update variables and write enable. + //---------------------------------------------------------------- + reg [1 : 0] aes_core_ctrl_reg; + reg [1 : 0] aes_core_ctrl_new; + reg aes_core_ctrl_we; + + reg result_valid_reg; + reg result_valid_new; + reg result_valid_we; + + reg ready_reg; + reg ready_new; + reg ready_we; + + + //---------------------------------------------------------------- + // Wires. + //---------------------------------------------------------------- + reg init_state; + + wire [127 : 0] round_key; + wire key_ready; + + reg enc_next; + wire [3 : 0] enc_round_nr; + wire [127 : 0] enc_new_block; + wire enc_ready; + wire [31 : 0] enc_sboxw; + + reg dec_next; + wire [3 : 0] dec_round_nr; + wire [127 : 0] dec_new_block; + wire dec_ready; + + reg [127 : 0] muxed_new_block; + reg [3 : 0] muxed_round_nr; + reg muxed_ready; + + wire [31 : 0] keymem_sboxw; + + reg [31 : 0] muxed_sboxw; + wire [31 : 0] new_sboxw; + + + //---------------------------------------------------------------- + // Instantiations. + //---------------------------------------------------------------- + aes_encipher_block enc_block( + .clk(clk), + .reset_n(reset_n), + + .next(enc_next), + + .keylen(keylen), + .round(enc_round_nr), + .round_key(round_key), + + .sboxw(enc_sboxw), + .new_sboxw(new_sboxw), + + .block(block), + .new_block(enc_new_block), + .ready(enc_ready) + ); + + + aes_decipher_block dec_block( + .clk(clk), + .reset_n(reset_n), + + .next(dec_next), + + .keylen(keylen), + .round(dec_round_nr), + .round_key(round_key), + + .block(block), + .new_block(dec_new_block), + .ready(dec_ready) + ); + + + aes_key_mem keymem( + .clk(clk), + .reset_n(reset_n), + + .key(key), + .keylen(keylen), + .init(init), + + .round(muxed_round_nr), + .round_key(round_key), + .ready(key_ready), + + .sboxw(keymem_sboxw), + .new_sboxw(new_sboxw) + ); + + + aes_sbox sbox_inst(.sboxw(muxed_sboxw), .new_sboxw(new_sboxw)); + + + //---------------------------------------------------------------- + // Concurrent connectivity for ports etc. + //---------------------------------------------------------------- + assign ready = ready_reg; + assign result = muxed_new_block; + assign result_valid = result_valid_reg; + + + //---------------------------------------------------------------- + // reg_update + // + // Update functionality for all registers in the core. + // All registers are positive edge triggered with asynchronous + // active low reset. All registers have write enable. + //---------------------------------------------------------------- + always @ (posedge clk or negedge reset_n) + begin: reg_update + if (!reset_n) + begin + result_valid_reg <= 1'b0; + ready_reg <= 1'b1; + aes_core_ctrl_reg <= CTRL_IDLE; + end + else + begin + if (result_valid_we) + result_valid_reg <= result_valid_new; + + if (ready_we) + ready_reg <= ready_new; + + if (aes_core_ctrl_we) + aes_core_ctrl_reg <= aes_core_ctrl_new; + end + end // reg_update + + + //---------------------------------------------------------------- + // sbox_mux + // + // Controls which of the encipher datapath or the key memory + // that gets access to the sbox. + //---------------------------------------------------------------- + always @* + begin : sbox_mux + if (init_state) + begin + muxed_sboxw = keymem_sboxw; + end + else + begin + muxed_sboxw = enc_sboxw; + end + end // sbox_mux + + + //---------------------------------------------------------------- + // encdex_mux + // + // Controls which of the datapaths that get the next signal, have + // access to the memory as well as the block processing result. + //---------------------------------------------------------------- + always @* + begin : encdec_mux + enc_next = 1'b0; + dec_next = 1'b0; + + if (encdec) + begin + // Encipher operations + enc_next = next; + muxed_round_nr = enc_round_nr; + muxed_new_block = enc_new_block; + muxed_ready = enc_ready; + end + else + begin + // Decipher operations + dec_next = next; + muxed_round_nr = dec_round_nr; + muxed_new_block = dec_new_block; + muxed_ready = dec_ready; + end + end // encdec_mux + + + //---------------------------------------------------------------- + // aes_core_ctrl + // + // Control FSM for aes core. Basically tracks if we are in + // key init, encipher or decipher modes and connects the + // different submodules to shared resources and interface ports. + //---------------------------------------------------------------- + always @* + begin : aes_core_ctrl + init_state = 1'b0; + ready_new = 1'b0; + ready_we = 1'b0; + result_valid_new = 1'b0; + result_valid_we = 1'b0; + aes_core_ctrl_new = CTRL_IDLE; + aes_core_ctrl_we = 1'b0; + + case (aes_core_ctrl_reg) + CTRL_IDLE: + begin + if (init) + begin + init_state = 1'b1; + ready_new = 1'b0; + ready_we = 1'b1; + result_valid_new = 1'b0; + result_valid_we = 1'b1; + aes_core_ctrl_new = CTRL_INIT; + aes_core_ctrl_we = 1'b1; + end + else if (next) + begin + init_state = 1'b0; + ready_new = 1'b0; + ready_we = 1'b1; + result_valid_new = 1'b0; + result_valid_we = 1'b1; + aes_core_ctrl_new = CTRL_NEXT; + aes_core_ctrl_we = 1'b1; + end + end + + CTRL_INIT: + begin + init_state = 1'b1; + + if (key_ready) + begin + ready_new = 1'b1; + ready_we = 1'b1; + aes_core_ctrl_new = CTRL_IDLE; + aes_core_ctrl_we = 1'b1; + end + end + + CTRL_NEXT: + begin + init_state = 1'b0; + + if (muxed_ready) + begin + ready_new = 1'b1; + ready_we = 1'b1; + result_valid_new = 1'b1; + result_valid_we = 1'b1; + aes_core_ctrl_new = CTRL_IDLE; + aes_core_ctrl_we = 1'b1; + end + end + + default: + begin + + end + endcase // case (aes_core_ctrl_reg) + + end // aes_core_ctrl +endmodule // aes_core + +//====================================================================== +// EOF aes_core.v +//====================================================================== diff --git a/src/rtl/aes_decipher_block.v b/src/rtl/aes_decipher_block.v new file mode 100644 index 0000000..82bdffb --- /dev/null +++ b/src/rtl/aes_decipher_block.v @@ -0,0 +1,525 @@ +//====================================================================== +// +// aes_decipher_block.v +// -------------------- +// The AES decipher round. A pure combinational module that implements +// the initial round, main round and final round logic for +// decciper operations. +// +// +// Author: Joachim Strombergson +// Copyright (c) 2014, NORDUnet A/S +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// - Redistributions of source code must retain the above copyright notice, +// this list of conditions and the following disclaimer. +// +// - Redistributions in binary form must reproduce the above copyright +// notice, this list of conditions and the following disclaimer in the +// documentation and/or other materials provided with the distribution. +// +// - Neither the name of the NORDUnet nor the names of its contributors may +// be used to endorse or promote products derived from this software +// without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +// IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +// TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +// PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +// TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +//====================================================================== + +module aes_decipher_block( + input wire clk, + input wire reset_n, + + input wire next, + + input wire keylen, + output wire [3 : 0] round, + input wire [127 : 0] round_key, + + input wire [127 : 0] block, + output wire [127 : 0] new_block, + output wire ready + ); + + + //---------------------------------------------------------------- + // Internal constant and parameter definitions. + //---------------------------------------------------------------- + localparam AES_128_BIT_KEY = 1'h0; + localparam AES_256_BIT_KEY = 1'h1; + + localparam AES128_ROUNDS = 4'ha; + localparam AES256_ROUNDS = 4'he; + + localparam NO_UPDATE = 3'h0; + localparam INIT_UPDATE = 3'h1; + localparam SBOX_UPDATE = 3'h2; + localparam MAIN_UPDATE = 3'h3; + localparam FINAL_UPDATE = 3'h4; + + localparam CTRL_IDLE = 3'h0; + localparam CTRL_INIT = 3'h1; + localparam CTRL_SBOX = 3'h2; + localparam CTRL_MAIN = 3'h3; + localparam CTRL_FINAL = 3'h4; + + + //---------------------------------------------------------------- + // Gaolis multiplication functions for Inverse MixColumn. + //---------------------------------------------------------------- + function [7 : 0] gm2(input [7 : 0] op); + begin + gm2 = {op[6 : 0], 1'b0} ^ (8'h1b & {8{op[7]}}); + end + endfunction // gm2 + + function [7 : 0] gm3(input [7 : 0] op); + begin + gm3 = gm2(op) ^ op; + end + endfunction // gm3 + + function [7 : 0] gm4(input [7 : 0] op); + begin + gm4 = gm2(gm2(op)); + end + endfunction // gm4 + + function [7 : 0] gm8(input [7 : 0] op); + begin + gm8 = gm2(gm4(op)); + end + endfunction // gm8 + + function [7 : 0] gm09(input [7 : 0] op); + begin + gm09 = gm8(op) ^ op; + end + endfunction // gm09 + + function [7 : 0] gm11(input [7 : 0] op); + begin + gm11 = gm8(op) ^ gm2(op) ^ op; + end + endfunction // gm11 + + function [7 : 0] gm13(input [7 : 0] op); + begin + gm13 = gm8(op) ^ gm4(op) ^ op; + end + endfunction // gm13 + + function [7 : 0] gm14(input [7 : 0] op); + begin + gm14 = gm8(op) ^ gm4(op) ^ gm2(op); + end + endfunction // gm14 + + function [31 : 0] inv_mixw(input [31 : 0] w); + reg [7 : 0] b0, b1, b2, b3; + reg [7 : 0] mb0, mb1, mb2, mb3; + begin + b0 = w[31 : 24]; + b1 = w[23 : 16]; + b2 = w[15 : 08]; + b3 = w[07 : 00]; + + mb0 = gm14(b0) ^ gm11(b1) ^ gm13(b2) ^ gm09(b3); + mb1 = gm09(b0) ^ gm14(b1) ^ gm11(b2) ^ gm13(b3); + mb2 = gm13(b0) ^ gm09(b1) ^ gm14(b2) ^ gm11(b3); + mb3 = gm11(b0) ^ gm13(b1) ^ gm09(b2) ^ gm14(b3); + + inv_mixw = {mb0, mb1, mb2, mb3}; + end + endfunction // mixw + + function [127 : 0] inv_mixcolumns(input [127 : 0] data); + reg [31 : 0] w0, w1, w2, w3; + reg [31 : 0] ws0, ws1, ws2, ws3; + begin + w0 = data[127 : 096]; + w1 = data[095 : 064]; + w2 = data[063 : 032]; + w3 = data[031 : 000]; + + ws0 = inv_mixw(w0); + ws1 = inv_mixw(w1); + ws2 = inv_mixw(w2); + ws3 = inv_mixw(w3); + + inv_mixcolumns = {ws0, ws1, ws2, ws3}; + end + endfunction // inv_mixcolumns + + function [127 : 0] inv_shiftrows(input [127 : 0] data); + reg [31 : 0] w0, w1, w2, w3; + reg [31 : 0] ws0, ws1, ws2, ws3; + begin + w0 = data[127 : 096]; + w1 = data[095 : 064]; + w2 = data[063 : 032]; + w3 = data[031 : 000]; + + ws0 = {w0[31 : 24], w3[23 : 16], w2[15 : 08], w1[07 : 00]}; + ws1 = {w1[31 : 24], w0[23 : 16], w3[15 : 08], w2[07 : 00]}; + ws2 = {w2[31 : 24], w1[23 : 16], w0[15 : 08], w3[07 : 00]}; + ws3 = {w3[31 : 24], w2[23 : 16], w1[15 : 08], w0[07 : 00]}; + + inv_shiftrows = {ws0, ws1, ws2, ws3}; + end + endfunction // inv_shiftrows + + function [127 : 0] addroundkey(input [127 : 0] data, input [127 : 0] rkey); + begin + addroundkey = data ^ rkey; + end + endfunction // addroundkey + + + //---------------------------------------------------------------- + // Registers including update variables and write enable. + //---------------------------------------------------------------- + reg [1 : 0] sword_ctr_reg; + reg [1 : 0] sword_ctr_new; + reg sword_ctr_we; + reg sword_ctr_inc; + reg sword_ctr_rst; + + reg [3 : 0] round_ctr_reg; + reg [3 : 0] round_ctr_new; + reg round_ctr_we; + reg round_ctr_set; + reg round_ctr_dec; + + reg [127 : 0] block_new; + reg [31 : 0] block_w0_reg; + reg [31 : 0] block_w1_reg; + reg [31 : 0] block_w2_reg; + reg [31 : 0] block_w3_reg; + reg block_w0_we; + reg block_w1_we; + reg block_w2_we; + reg block_w3_we; + + reg ready_reg; + reg ready_new; + reg ready_we; + + reg [2 : 0] dec_ctrl_reg; + reg [2 : 0] dec_ctrl_new; + reg dec_ctrl_we; + + + //---------------------------------------------------------------- + // Wires. + //---------------------------------------------------------------- + reg [31 : 0] tmp_sboxw; + wire [31 : 0] new_sboxw; + reg [2 : 0] update_type; + + + //---------------------------------------------------------------- + // Instantiations. + //---------------------------------------------------------------- + aes_inv_sbox inv_sbox_inst(.sword(tmp_sboxw), .new_sword(new_sboxw)); + + + //---------------------------------------------------------------- + // Concurrent connectivity for ports etc. + //---------------------------------------------------------------- + assign round = round_ctr_reg; + assign new_block = {block_w0_reg, block_w1_reg, block_w2_reg, block_w3_reg}; + assign ready = ready_reg; + + + //---------------------------------------------------------------- + // reg_update + // + // Update functionality for all registers in the core. + // All registers are positive edge triggered with synchronous + // active low reset. All registers have write enable. + //---------------------------------------------------------------- + always @ (posedge clk or negedge reset_n) + begin: reg_update + if (!reset_n) + begin + block_w0_reg <= 32'h0; + block_w1_reg <= 32'h0; + block_w2_reg <= 32'h0; + block_w3_reg <= 32'h0; + sword_ctr_reg <= 2'h0; + round_ctr_reg <= 4'h0; + ready_reg <= 1'b1; + dec_ctrl_reg <= CTRL_IDLE; + end + else + begin + if (block_w0_we) + block_w0_reg <= block_new[127 : 096]; + + if (block_w1_we) + block_w1_reg <= block_new[095 : 064]; + + if (block_w2_we) + block_w2_reg <= block_new[063 : 032]; + + if (block_w3_we) + block_w3_reg <= block_new[031 : 000]; + + if (sword_ctr_we) + sword_ctr_reg <= sword_ctr_new; + + if (round_ctr_we) + round_ctr_reg <= round_ctr_new; + + if (ready_we) + ready_reg <= ready_new; + + if (dec_ctrl_we) + dec_ctrl_reg <= dec_ctrl_new; + end + end // reg_update + + + //---------------------------------------------------------------- + // round_logic + // + // The logic needed to implement init, main and final rounds. + //---------------------------------------------------------------- + always @* + begin : round_logic + reg [127 : 0] old_block, inv_shiftrows_block, inv_mixcolumns_block; + reg [127 : 0] addkey_block; + + inv_shiftrows_block = 128'h0; + inv_mixcolumns_block = 128'h0; + addkey_block = 128'h0; + block_new = 128'h0; + tmp_sboxw = 32'h0; + block_w0_we = 1'b0; + block_w1_we = 1'b0; + block_w2_we = 1'b0; + block_w3_we = 1'b0; + + old_block = {block_w0_reg, block_w1_reg, block_w2_reg, block_w3_reg}; + + // Update based on update type. + case (update_type) + // InitRound + INIT_UPDATE: + begin + old_block = block; + addkey_block = addroundkey(old_block, round_key); + inv_shiftrows_block = inv_shiftrows(addkey_block); + block_new = inv_shiftrows_block; + block_w0_we = 1'b1; + block_w1_we = 1'b1; + block_w2_we = 1'b1; + block_w3_we = 1'b1; + end + + SBOX_UPDATE: + begin + block_new = {new_sboxw, new_sboxw, new_sboxw, new_sboxw}; + + case (sword_ctr_reg) + 2'h0: + begin + tmp_sboxw = block_w0_reg; + block_w0_we = 1'b1; + end + + 2'h1: + begin + tmp_sboxw = block_w1_reg; + block_w1_we = 1'b1; + end + + 2'h2: + begin + tmp_sboxw = block_w2_reg; + block_w2_we = 1'b1; + end + + 2'h3: + begin + tmp_sboxw = block_w3_reg; + block_w3_we = 1'b1; + end + endcase // case (sbox_mux_ctrl_reg) + end + + MAIN_UPDATE: + begin + addkey_block = addroundkey(old_block, round_key); + inv_mixcolumns_block = inv_mixcolumns(addkey_block); + inv_shiftrows_block = inv_shiftrows(inv_mixcolumns_block); + block_new = inv_shiftrows_block; + block_w0_we = 1'b1; + block_w1_we = 1'b1; + block_w2_we = 1'b1; + block_w3_we = 1'b1; + end + + FINAL_UPDATE: + begin + block_new = addroundkey(old_block, round_key); + block_w0_we = 1'b1; + block_w1_we = 1'b1; + block_w2_we = 1'b1; + block_w3_we = 1'b1; + end + + default: + begin + end + endcase // case (update_type) + end // round_logic + + + //---------------------------------------------------------------- + // sword_ctr + // + // The subbytes word counter with reset and increase logic. + //---------------------------------------------------------------- + always @* + begin : sword_ctr + sword_ctr_new = 2'h0; + sword_ctr_we = 1'b0; + + if (sword_ctr_rst) + begin + sword_ctr_new = 2'h0; + sword_ctr_we = 1'b1; + end + else if (sword_ctr_inc) + begin + sword_ctr_new = sword_ctr_reg + 1'b1; + sword_ctr_we = 1'b1; + end + end // sword_ctr + + + //---------------------------------------------------------------- + // round_ctr + // + // The round counter with reset and increase logic. + //---------------------------------------------------------------- + always @* + begin : round_ctr + round_ctr_new = 4'h0; + round_ctr_we = 1'b0; + + if (round_ctr_set) + begin + if (keylen == AES_256_BIT_KEY) + begin + round_ctr_new = AES256_ROUNDS; + end + else + begin + round_ctr_new = AES128_ROUNDS; + end + round_ctr_we = 1'b1; + end + else if (round_ctr_dec) + begin + round_ctr_new = round_ctr_reg - 1'b1; + round_ctr_we = 1'b1; + end + end // round_ctr + + + //---------------------------------------------------------------- + // decipher_ctrl + // + // The FSM that controls the decipher operations. + //---------------------------------------------------------------- + always @* + begin: decipher_ctrl + sword_ctr_inc = 1'b0; + sword_ctr_rst = 1'b0; + round_ctr_dec = 1'b0; + round_ctr_set = 1'b0; + ready_new = 1'b0; + ready_we = 1'b0; + update_type = NO_UPDATE; + dec_ctrl_new = CTRL_IDLE; + dec_ctrl_we = 1'b0; + + case(dec_ctrl_reg) + CTRL_IDLE: + begin + if (next) + begin + round_ctr_set = 1'b1; + ready_new = 1'b0; + ready_we = 1'b1; + dec_ctrl_new = CTRL_INIT; + dec_ctrl_we = 1'b1; + end + end + + CTRL_INIT: + begin + sword_ctr_rst = 1'b1; + update_type = INIT_UPDATE; + dec_ctrl_new = CTRL_SBOX; + dec_ctrl_we = 1'b1; + end + + CTRL_SBOX: + begin + sword_ctr_inc = 1'b1; + update_type = SBOX_UPDATE; + if (sword_ctr_reg == 2'h3) + begin + round_ctr_dec = 1'b1; + dec_ctrl_new = CTRL_MAIN; + dec_ctrl_we = 1'b1; + end + end + + CTRL_MAIN: + begin + sword_ctr_rst = 1'b1; + if (round_ctr_reg > 0) + begin + update_type = MAIN_UPDATE; + dec_ctrl_new = CTRL_SBOX; + dec_ctrl_we = 1'b1; + end + else + begin + update_type = FINAL_UPDATE; + ready_new = 1'b1; + ready_we = 1'b1; + dec_ctrl_new = CTRL_IDLE; + dec_ctrl_we = 1'b1; + end + end + + default: + begin + // Empty. Just here to make the synthesis tool happy. + end + endcase // case (dec_ctrl_reg) + end // decipher_ctrl +endmodule // aes_decipher_block + +//====================================================================== +// EOF aes_decipher_block.v +//====================================================================== diff --git a/src/rtl/aes_encipher_block.v b/src/rtl/aes_encipher_block.v new file mode 100644 index 0000000..094653a --- /dev/null +++ b/src/rtl/aes_encipher_block.v @@ -0,0 +1,486 @@ +//====================================================================== +// +// aes_encipher_block.v +// -------------------- +// The AES encipher round. A pure combinational module that implements +// the initial round, main round and final round logic for +// enciper operations. +// +// +// Author: Joachim Strombergson +// Copyright (c) 2014, NORDUnet A/S +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// - Redistributions of source code must retain the above copyright notice, +// this list of conditions and the following disclaimer. +// +// - Redistributions in binary form must reproduce the above copyright +// notice, this list of conditions and the following disclaimer in the +// documentation and/or other materials provided with the distribution. +// +// - Neither the name of the NORDUnet nor the names of its contributors may +// be used to endorse or promote products derived from this software +// without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +// IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +// TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +// PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +// TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +//====================================================================== + +module aes_encipher_block( + input wire clk, + input wire reset_n, + + input wire next, + + input wire keylen, + output wire [3 : 0] round, + input wire [127 : 0] round_key, + + output wire [31 : 0] sboxw, + input wire [31 : 0] new_sboxw, + + input wire [127 : 0] block, + output wire [127 : 0] new_block, + output wire ready + ); + + + //---------------------------------------------------------------- + // Internal constant and parameter definitions. + //---------------------------------------------------------------- + localparam AES_128_BIT_KEY = 1'h0; + localparam AES_256_BIT_KEY = 1'h1; + + localparam AES128_ROUNDS = 4'ha; + localparam AES256_ROUNDS = 4'he; + + localparam NO_UPDATE = 3'h0; + localparam INIT_UPDATE = 3'h1; + localparam SBOX_UPDATE = 3'h2; + localparam MAIN_UPDATE = 3'h3; + localparam FINAL_UPDATE = 3'h4; + + localparam CTRL_IDLE = 3'h0; + localparam CTRL_INIT = 3'h1; + localparam CTRL_SBOX = 3'h2; + localparam CTRL_MAIN = 3'h3; + localparam CTRL_FINAL = 3'h4; + + + //---------------------------------------------------------------- + // Round functions with sub functions. + //---------------------------------------------------------------- + function [7 : 0] gm2(input [7 : 0] op); + begin + gm2 = {op[6 : 0], 1'b0} ^ (8'h1b & {8{op[7]}}); + end + endfunction // gm2 + + function [7 : 0] gm3(input [7 : 0] op); + begin + gm3 = gm2(op) ^ op; + end + endfunction // gm3 + + function [31 : 0] mixw(input [31 : 0] w); + reg [7 : 0] b0, b1, b2, b3; + reg [7 : 0] mb0, mb1, mb2, mb3; + begin + b0 = w[31 : 24]; + b1 = w[23 : 16]; + b2 = w[15 : 08]; + b3 = w[07 : 00]; + + mb0 = gm2(b0) ^ gm3(b1) ^ b2 ^ b3; + mb1 = b0 ^ gm2(b1) ^ gm3(b2) ^ b3; + mb2 = b0 ^ b1 ^ gm2(b2) ^ gm3(b3); + mb3 = gm3(b0) ^ b1 ^ b2 ^ gm2(b3); + + mixw = {mb0, mb1, mb2, mb3}; + end + endfunction // mixw + + function [127 : 0] mixcolumns(input [127 : 0] data); + reg [31 : 0] w0, w1, w2, w3; + reg [31 : 0] ws0, ws1, ws2, ws3; + begin + w0 = data[127 : 096]; + w1 = data[095 : 064]; + w2 = data[063 : 032]; + w3 = data[031 : 000]; + + ws0 = mixw(w0); + ws1 = mixw(w1); + ws2 = mixw(w2); + ws3 = mixw(w3); + + mixcolumns = {ws0, ws1, ws2, ws3}; + end + endfunction // mixcolumns + + function [127 : 0] shiftrows(input [127 : 0] data); + reg [31 : 0] w0, w1, w2, w3; + reg [31 : 0] ws0, ws1, ws2, ws3; + begin + w0 = data[127 : 096]; + w1 = data[095 : 064]; + w2 = data[063 : 032]; + w3 = data[031 : 000]; + + ws0 = {w0[31 : 24], w1[23 : 16], w2[15 : 08], w3[07 : 00]}; + ws1 = {w1[31 : 24], w2[23 : 16], w3[15 : 08], w0[07 : 00]}; + ws2 = {w2[31 : 24], w3[23 : 16], w0[15 : 08], w1[07 : 00]}; + ws3 = {w3[31 : 24], w0[23 : 16], w1[15 : 08], w2[07 : 00]}; + + shiftrows = {ws0, ws1, ws2, ws3}; + end + endfunction // shiftrows + + function [127 : 0] addroundkey(input [127 : 0] data, input [127 : 0] rkey); + begin + addroundkey = data ^ rkey; + end + endfunction // addroundkey + + + //---------------------------------------------------------------- + // Registers including update variables and write enable. + //---------------------------------------------------------------- + reg [1 : 0] sword_ctr_reg; + reg [1 : 0] sword_ctr_new; + reg sword_ctr_we; + reg sword_ctr_inc; + reg sword_ctr_rst; + + reg [3 : 0] round_ctr_reg; + reg [3 : 0] round_ctr_new; + reg round_ctr_we; + reg round_ctr_rst; + reg round_ctr_inc; + + reg [127 : 0] block_new; + reg [31 : 0] block_w0_reg; + reg [31 : 0] block_w1_reg; + reg [31 : 0] block_w2_reg; + reg [31 : 0] block_w3_reg; + reg block_w0_we; + reg block_w1_we; + reg block_w2_we; + reg block_w3_we; + + reg ready_reg; + reg ready_new; + reg ready_we; + + reg [2 : 0] enc_ctrl_reg; + reg [2 : 0] enc_ctrl_new; + reg enc_ctrl_we; + + + //---------------------------------------------------------------- + // Wires. + //---------------------------------------------------------------- + reg [2 : 0] update_type; + reg [31 : 0] muxed_sboxw; + + + //---------------------------------------------------------------- + // Concurrent connectivity for ports etc. + //---------------------------------------------------------------- + assign round = round_ctr_reg; + assign sboxw = muxed_sboxw; + assign new_block = {block_w0_reg, block_w1_reg, block_w2_reg, block_w3_reg}; + assign ready = ready_reg; + + + //---------------------------------------------------------------- + // reg_update + // + // Update functionality for all registers in the core. + // All registers are positive edge triggered with asynchronous + // active low reset. All registers have write enable. + //---------------------------------------------------------------- + always @ (posedge clk or negedge reset_n) + begin: reg_update + if (!reset_n) + begin + block_w0_reg <= 32'h0; + block_w1_reg <= 32'h0; + block_w2_reg <= 32'h0; + block_w3_reg <= 32'h0; + sword_ctr_reg <= 2'h0; + round_ctr_reg <= 4'h0; + ready_reg <= 1'b1; + enc_ctrl_reg <= CTRL_IDLE; + end + else + begin + if (block_w0_we) + block_w0_reg <= block_new[127 : 096]; + + if (block_w1_we) + block_w1_reg <= block_new[095 : 064]; + + if (block_w2_we) + block_w2_reg <= block_new[063 : 032]; + + if (block_w3_we) + block_w3_reg <= block_new[031 : 000]; + + if (sword_ctr_we) + sword_ctr_reg <= sword_ctr_new; + + if (round_ctr_we) + round_ctr_reg <= round_ctr_new; + + if (ready_we) + ready_reg <= ready_new; + + if (enc_ctrl_we) + enc_ctrl_reg <= enc_ctrl_new; + end + end // reg_update + + + //---------------------------------------------------------------- + // round_logic + // + // The logic needed to implement init, main and final rounds. + //---------------------------------------------------------------- + always @* + begin : round_logic + reg [127 : 0] old_block, shiftrows_block, mixcolumns_block; + reg [127 : 0] addkey_init_block, addkey_main_block, addkey_final_block; + + block_new = 128'h0; + muxed_sboxw = 32'h0; + block_w0_we = 1'b0; + block_w1_we = 1'b0; + block_w2_we = 1'b0; + block_w3_we = 1'b0; + + old_block = {block_w0_reg, block_w1_reg, block_w2_reg, block_w3_reg}; + shiftrows_block = shiftrows(old_block); + mixcolumns_block = mixcolumns(shiftrows_block); + addkey_init_block = addroundkey(block, round_key); + addkey_main_block = addroundkey(mixcolumns_block, round_key); + addkey_final_block = addroundkey(shiftrows_block, round_key); + + case (update_type) + INIT_UPDATE: + begin + block_new = addkey_init_block; + block_w0_we = 1'b1; + block_w1_we = 1'b1; + block_w2_we = 1'b1; + block_w3_we = 1'b1; + end + + SBOX_UPDATE: + begin + block_new = {new_sboxw, new_sboxw, new_sboxw, new_sboxw}; + + case (sword_ctr_reg) + 2'h0: + begin + muxed_sboxw = block_w0_reg; + block_w0_we = 1'b1; + end + + 2'h1: + begin + muxed_sboxw = block_w1_reg; + block_w1_we = 1'b1; + end + + 2'h2: + begin + muxed_sboxw = block_w2_reg; + block_w2_we = 1'b1; + end + + 2'h3: + begin + muxed_sboxw = block_w3_reg; + block_w3_we = 1'b1; + end + endcase // case (sbox_mux_ctrl_reg) + end + + MAIN_UPDATE: + begin + block_new = addkey_main_block; + block_w0_we = 1'b1; + block_w1_we = 1'b1; + block_w2_we = 1'b1; + block_w3_we = 1'b1; + end + + FINAL_UPDATE: + begin + block_new = addkey_final_block; + block_w0_we = 1'b1; + block_w1_we = 1'b1; + block_w2_we = 1'b1; + block_w3_we = 1'b1; + end + + default: + begin + end + endcase // case (update_type) + end // round_logic + + + //---------------------------------------------------------------- + // sword_ctr + // + // The subbytes word counter with reset and increase logic. + //---------------------------------------------------------------- + always @* + begin : sword_ctr + sword_ctr_new = 2'h0; + sword_ctr_we = 1'b0; + + if (sword_ctr_rst) + begin + sword_ctr_new = 2'h0; + sword_ctr_we = 1'b1; + end + else if (sword_ctr_inc) + begin + sword_ctr_new = sword_ctr_reg + 1'b1; + sword_ctr_we = 1'b1; + end + end // sword_ctr + + + //---------------------------------------------------------------- + // round_ctr + // + // The round counter with reset and increase logic. + //---------------------------------------------------------------- + always @* + begin : round_ctr + round_ctr_new = 4'h0; + round_ctr_we = 1'b0; + + if (round_ctr_rst) + begin + round_ctr_new = 4'h0; + round_ctr_we = 1'b1; + end + else if (round_ctr_inc) + begin + round_ctr_new = round_ctr_reg + 1'b1; + round_ctr_we = 1'b1; + end + end // round_ctr + + + //---------------------------------------------------------------- + // encipher_ctrl + // + // The FSM that controls the encipher operations. + //---------------------------------------------------------------- + always @* + begin: encipher_ctrl + reg [3 : 0] num_rounds; + + if (keylen == AES_256_BIT_KEY) + begin + num_rounds = AES256_ROUNDS; + end + else + begin + num_rounds = AES128_ROUNDS; + end + + sword_ctr_inc = 1'b0; + sword_ctr_rst = 1'b0; + round_ctr_inc = 1'b0; + round_ctr_rst = 1'b0; + ready_new = 1'b0; + ready_we = 1'b0; + update_type = NO_UPDATE; + enc_ctrl_new = CTRL_IDLE; + enc_ctrl_we = 1'b0; + + case(enc_ctrl_reg) + CTRL_IDLE: + begin + if (next) + begin + round_ctr_rst = 1'b1; + ready_new = 1'b0; + ready_we = 1'b1; + enc_ctrl_new = CTRL_INIT; + enc_ctrl_we = 1'b1; + end + end + + CTRL_INIT: + begin + round_ctr_inc = 1'b1; + sword_ctr_rst = 1'b1; + update_type = INIT_UPDATE; + enc_ctrl_new = CTRL_SBOX; + enc_ctrl_we = 1'b1; + end + + CTRL_SBOX: + begin + sword_ctr_inc = 1'b1; + update_type = SBOX_UPDATE; + if (sword_ctr_reg == 2'h3) + begin + enc_ctrl_new = CTRL_MAIN; + enc_ctrl_we = 1'b1; + end + end + + CTRL_MAIN: + begin + sword_ctr_rst = 1'b1; + round_ctr_inc = 1'b1; + if (round_ctr_reg < num_rounds) + begin + update_type = MAIN_UPDATE; + enc_ctrl_new = CTRL_SBOX; + enc_ctrl_we = 1'b1; + end + else + begin + update_type = FINAL_UPDATE; + ready_new = 1'b1; + ready_we = 1'b1; + enc_ctrl_new = CTRL_IDLE; + enc_ctrl_we = 1'b1; + end + end + + default: + begin + // Empty. Just here to make the synthesis tool happy. + end + endcase // case (enc_ctrl_reg) + end // encipher_ctrl + +endmodule // aes_encipher_block + +//====================================================================== +// EOF aes_encipher_block.v +//====================================================================== diff --git a/src/rtl/aes_inv_sbox.v b/src/rtl/aes_inv_sbox.v new file mode 100644 index 0000000..807f397 --- /dev/null +++ b/src/rtl/aes_inv_sbox.v @@ -0,0 +1,325 @@ +//====================================================================== +// +// aes_inv_sbox.v +// -------------- +// The inverse AES S-box. Basically a 256 Byte ROM. +// +// +// Author: Joachim Strombergson +// Copyright (c) 2014, NORDUnet A/S +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// - Redistributions of source code must retain the above copyright notice, +// this list of conditions and the following disclaimer. +// +// - Redistributions in binary form must reproduce the above copyright +// notice, this list of conditions and the following disclaimer in the +// documentation and/or other materials provided with the distribution. +// +// - Neither the name of the NORDUnet nor the names of its contributors may +// be used to endorse or promote products derived from this software +// without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +// IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +// TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +// PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +// TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +//====================================================================== + +module aes_inv_sbox( + input wire [31 : 0] sword, + output wire [31 : 0] new_sword + ); + + + //---------------------------------------------------------------- + // The inverse sbox array. + //---------------------------------------------------------------- + wire [7 : 0] inv_sbox [0 : 255]; + + + //---------------------------------------------------------------- + // Four parallel muxes. + //---------------------------------------------------------------- + assign new_sword[31 : 24] = inv_sbox[sword[31 : 24]]; + assign new_sword[23 : 16] = inv_sbox[sword[23 : 16]]; + assign new_sword[15 : 08] = inv_sbox[sword[15 : 08]]; + assign new_sword[07 : 00] = inv_sbox[sword[07 : 00]]; + + + //---------------------------------------------------------------- + // Creating the contents of the array. + //---------------------------------------------------------------- + assign inv_sbox[8'h00] = 8'h52; + assign inv_sbox[8'h01] = 8'h09; + assign inv_sbox[8'h02] = 8'h6a; + assign inv_sbox[8'h03] = 8'hd5; + assign inv_sbox[8'h04] = 8'h30; + assign inv_sbox[8'h05] = 8'h36; + assign inv_sbox[8'h06] = 8'ha5; + assign inv_sbox[8'h07] = 8'h38; + assign inv_sbox[8'h08] = 8'hbf; + assign inv_sbox[8'h09] = 8'h40; + assign inv_sbox[8'h0a] = 8'ha3; + assign inv_sbox[8'h0b] = 8'h9e; + assign inv_sbox[8'h0c] = 8'h81; + assign inv_sbox[8'h0d] = 8'hf3; + assign inv_sbox[8'h0e] = 8'hd7; + assign inv_sbox[8'h0f] = 8'hfb; + assign inv_sbox[8'h10] = 8'h7c; + assign inv_sbox[8'h11] = 8'he3; + assign inv_sbox[8'h12] = 8'h39; + assign inv_sbox[8'h13] = 8'h82; + assign inv_sbox[8'h14] = 8'h9b; + assign inv_sbox[8'h15] = 8'h2f; + assign inv_sbox[8'h16] = 8'hff; + assign inv_sbox[8'h17] = 8'h87; + assign inv_sbox[8'h18] = 8'h34; + assign inv_sbox[8'h19] = 8'h8e; + assign inv_sbox[8'h1a] = 8'h43; + assign inv_sbox[8'h1b] = 8'h44; + assign inv_sbox[8'h1c] = 8'hc4; + assign inv_sbox[8'h1d] = 8'hde; + assign inv_sbox[8'h1e] = 8'he9; + assign inv_sbox[8'h1f] = 8'hcb; + assign inv_sbox[8'h20] = 8'h54; + assign inv_sbox[8'h21] = 8'h7b; + assign inv_sbox[8'h22] = 8'h94; + assign inv_sbox[8'h23] = 8'h32; + assign inv_sbox[8'h24] = 8'ha6; + assign inv_sbox[8'h25] = 8'hc2; + assign inv_sbox[8'h26] = 8'h23; + assign inv_sbox[8'h27] = 8'h3d; + assign inv_sbox[8'h28] = 8'hee; + assign inv_sbox[8'h29] = 8'h4c; + assign inv_sbox[8'h2a] = 8'h95; + assign inv_sbox[8'h2b] = 8'h0b; + assign inv_sbox[8'h2c] = 8'h42; + assign inv_sbox[8'h2d] = 8'hfa; + assign inv_sbox[8'h2e] = 8'hc3; + assign inv_sbox[8'h2f] = 8'h4e; + assign inv_sbox[8'h30] = 8'h08; + assign inv_sbox[8'h31] = 8'h2e; + assign inv_sbox[8'h32] = 8'ha1; + assign inv_sbox[8'h33] = 8'h66; + assign inv_sbox[8'h34] = 8'h28; + assign inv_sbox[8'h35] = 8'hd9; + assign inv_sbox[8'h36] = 8'h24; + assign inv_sbox[8'h37] = 8'hb2; + assign inv_sbox[8'h38] = 8'h76; + assign inv_sbox[8'h39] = 8'h5b; + assign inv_sbox[8'h3a] = 8'ha2; + assign inv_sbox[8'h3b] = 8'h49; + assign inv_sbox[8'h3c] = 8'h6d; + assign inv_sbox[8'h3d] = 8'h8b; + assign inv_sbox[8'h3e] = 8'hd1; + assign inv_sbox[8'h3f] = 8'h25; + assign inv_sbox[8'h40] = 8'h72; + assign inv_sbox[8'h41] = 8'hf8; + assign inv_sbox[8'h42] = 8'hf6; + assign inv_sbox[8'h43] = 8'h64; + assign inv_sbox[8'h44] = 8'h86; + assign inv_sbox[8'h45] = 8'h68; + assign inv_sbox[8'h46] = 8'h98; + assign inv_sbox[8'h47] = 8'h16; + assign inv_sbox[8'h48] = 8'hd4; + assign inv_sbox[8'h49] = 8'ha4; + assign inv_sbox[8'h4a] = 8'h5c; + assign inv_sbox[8'h4b] = 8'hcc; + assign inv_sbox[8'h4c] = 8'h5d; + assign inv_sbox[8'h4d] = 8'h65; + assign inv_sbox[8'h4e] = 8'hb6; + assign inv_sbox[8'h4f] = 8'h92; + assign inv_sbox[8'h50] = 8'h6c; + assign inv_sbox[8'h51] = 8'h70; + assign inv_sbox[8'h52] = 8'h48; + assign inv_sbox[8'h53] = 8'h50; + assign inv_sbox[8'h54] = 8'hfd; + assign inv_sbox[8'h55] = 8'hed; + assign inv_sbox[8'h56] = 8'hb9; + assign inv_sbox[8'h57] = 8'hda; + assign inv_sbox[8'h58] = 8'h5e; + assign inv_sbox[8'h59] = 8'h15; + assign inv_sbox[8'h5a] = 8'h46; + assign inv_sbox[8'h5b] = 8'h57; + assign inv_sbox[8'h5c] = 8'ha7; + assign inv_sbox[8'h5d] = 8'h8d; + assign inv_sbox[8'h5e] = 8'h9d; + assign inv_sbox[8'h5f] = 8'h84; + assign inv_sbox[8'h60] = 8'h90; + assign inv_sbox[8'h61] = 8'hd8; + assign inv_sbox[8'h62] = 8'hab; + assign inv_sbox[8'h63] = 8'h00; + assign inv_sbox[8'h64] = 8'h8c; + assign inv_sbox[8'h65] = 8'hbc; + assign inv_sbox[8'h66] = 8'hd3; + assign inv_sbox[8'h67] = 8'h0a; + assign inv_sbox[8'h68] = 8'hf7; + assign inv_sbox[8'h69] = 8'he4; + assign inv_sbox[8'h6a] = 8'h58; + assign inv_sbox[8'h6b] = 8'h05; + assign inv_sbox[8'h6c] = 8'hb8; + assign inv_sbox[8'h6d] = 8'hb3; + assign inv_sbox[8'h6e] = 8'h45; + assign inv_sbox[8'h6f] = 8'h06; + assign inv_sbox[8'h70] = 8'hd0; + assign inv_sbox[8'h71] = 8'h2c; + assign inv_sbox[8'h72] = 8'h1e; + assign inv_sbox[8'h73] = 8'h8f; + assign inv_sbox[8'h74] = 8'hca; + assign inv_sbox[8'h75] = 8'h3f; + assign inv_sbox[8'h76] = 8'h0f; + assign inv_sbox[8'h77] = 8'h02; + assign inv_sbox[8'h78] = 8'hc1; + assign inv_sbox[8'h79] = 8'haf; + assign inv_sbox[8'h7a] = 8'hbd; + assign inv_sbox[8'h7b] = 8'h03; + assign inv_sbox[8'h7c] = 8'h01; + assign inv_sbox[8'h7d] = 8'h13; + assign inv_sbox[8'h7e] = 8'h8a; + assign inv_sbox[8'h7f] = 8'h6b; + assign inv_sbox[8'h80] = 8'h3a; + assign inv_sbox[8'h81] = 8'h91; + assign inv_sbox[8'h82] = 8'h11; + assign inv_sbox[8'h83] = 8'h41; + assign inv_sbox[8'h84] = 8'h4f; + assign inv_sbox[8'h85] = 8'h67; + assign inv_sbox[8'h86] = 8'hdc; + assign inv_sbox[8'h87] = 8'hea; + assign inv_sbox[8'h88] = 8'h97; + assign inv_sbox[8'h89] = 8'hf2; + assign inv_sbox[8'h8a] = 8'hcf; + assign inv_sbox[8'h8b] = 8'hce; + assign inv_sbox[8'h8c] = 8'hf0; + assign inv_sbox[8'h8d] = 8'hb4; + assign inv_sbox[8'h8e] = 8'he6; + assign inv_sbox[8'h8f] = 8'h73; + assign inv_sbox[8'h90] = 8'h96; + assign inv_sbox[8'h91] = 8'hac; + assign inv_sbox[8'h92] = 8'h74; + assign inv_sbox[8'h93] = 8'h22; + assign inv_sbox[8'h94] = 8'he7; + assign inv_sbox[8'h95] = 8'had; + assign inv_sbox[8'h96] = 8'h35; + assign inv_sbox[8'h97] = 8'h85; + assign inv_sbox[8'h98] = 8'he2; + assign inv_sbox[8'h99] = 8'hf9; + assign inv_sbox[8'h9a] = 8'h37; + assign inv_sbox[8'h9b] = 8'he8; + assign inv_sbox[8'h9c] = 8'h1c; + assign inv_sbox[8'h9d] = 8'h75; + assign inv_sbox[8'h9e] = 8'hdf; + assign inv_sbox[8'h9f] = 8'h6e; + assign inv_sbox[8'ha0] = 8'h47; + assign inv_sbox[8'ha1] = 8'hf1; + assign inv_sbox[8'ha2] = 8'h1a; + assign inv_sbox[8'ha3] = 8'h71; + assign inv_sbox[8'ha4] = 8'h1d; + assign inv_sbox[8'ha5] = 8'h29; + assign inv_sbox[8'ha6] = 8'hc5; + assign inv_sbox[8'ha7] = 8'h89; + assign inv_sbox[8'ha8] = 8'h6f; + assign inv_sbox[8'ha9] = 8'hb7; + assign inv_sbox[8'haa] = 8'h62; + assign inv_sbox[8'hab] = 8'h0e; + assign inv_sbox[8'hac] = 8'haa; + assign inv_sbox[8'had] = 8'h18; + assign inv_sbox[8'hae] = 8'hbe; + assign inv_sbox[8'haf] = 8'h1b; + assign inv_sbox[8'hb0] = 8'hfc; + assign inv_sbox[8'hb1] = 8'h56; + assign inv_sbox[8'hb2] = 8'h3e; + assign inv_sbox[8'hb3] = 8'h4b; + assign inv_sbox[8'hb4] = 8'hc6; + assign inv_sbox[8'hb5] = 8'hd2; + assign inv_sbox[8'hb6] = 8'h79; + assign inv_sbox[8'hb7] = 8'h20; + assign inv_sbox[8'hb8] = 8'h9a; + assign inv_sbox[8'hb9] = 8'hdb; + assign inv_sbox[8'hba] = 8'hc0; + assign inv_sbox[8'hbb] = 8'hfe; + assign inv_sbox[8'hbc] = 8'h78; + assign inv_sbox[8'hbd] = 8'hcd; + assign inv_sbox[8'hbe] = 8'h5a; + assign inv_sbox[8'hbf] = 8'hf4; + assign inv_sbox[8'hc0] = 8'h1f; + assign inv_sbox[8'hc1] = 8'hdd; + assign inv_sbox[8'hc2] = 8'ha8; + assign inv_sbox[8'hc3] = 8'h33; + assign inv_sbox[8'hc4] = 8'h88; + assign inv_sbox[8'hc5] = 8'h07; + assign inv_sbox[8'hc6] = 8'hc7; + assign inv_sbox[8'hc7] = 8'h31; + assign inv_sbox[8'hc8] = 8'hb1; + assign inv_sbox[8'hc9] = 8'h12; + assign inv_sbox[8'hca] = 8'h10; + assign inv_sbox[8'hcb] = 8'h59; + assign inv_sbox[8'hcc] = 8'h27; + assign inv_sbox[8'hcd] = 8'h80; + assign inv_sbox[8'hce] = 8'hec; + assign inv_sbox[8'hcf] = 8'h5f; + assign inv_sbox[8'hd0] = 8'h60; + assign inv_sbox[8'hd1] = 8'h51; + assign inv_sbox[8'hd2] = 8'h7f; + assign inv_sbox[8'hd3] = 8'ha9; + assign inv_sbox[8'hd4] = 8'h19; + assign inv_sbox[8'hd5] = 8'hb5; + assign inv_sbox[8'hd6] = 8'h4a; + assign inv_sbox[8'hd7] = 8'h0d; + assign inv_sbox[8'hd8] = 8'h2d; + assign inv_sbox[8'hd9] = 8'he5; + assign inv_sbox[8'hda] = 8'h7a; + assign inv_sbox[8'hdb] = 8'h9f; + assign inv_sbox[8'hdc] = 8'h93; + assign inv_sbox[8'hdd] = 8'hc9; + assign inv_sbox[8'hde] = 8'h9c; + assign inv_sbox[8'hdf] = 8'hef; + assign inv_sbox[8'he0] = 8'ha0; + assign inv_sbox[8'he1] = 8'he0; + assign inv_sbox[8'he2] = 8'h3b; + assign inv_sbox[8'he3] = 8'h4d; + assign inv_sbox[8'he4] = 8'hae; + assign inv_sbox[8'he5] = 8'h2a; + assign inv_sbox[8'he6] = 8'hf5; + assign inv_sbox[8'he7] = 8'hb0; + assign inv_sbox[8'he8] = 8'hc8; + assign inv_sbox[8'he9] = 8'heb; + assign inv_sbox[8'hea] = 8'hbb; + assign inv_sbox[8'heb] = 8'h3c; + assign inv_sbox[8'hec] = 8'h83; + assign inv_sbox[8'hed] = 8'h53; + assign inv_sbox[8'hee] = 8'h99; + assign inv_sbox[8'hef] = 8'h61; + assign inv_sbox[8'hf0] = 8'h17; + assign inv_sbox[8'hf1] = 8'h2b; + assign inv_sbox[8'hf2] = 8'h04; + assign inv_sbox[8'hf3] = 8'h7e; + assign inv_sbox[8'hf4] = 8'hba; + assign inv_sbox[8'hf5] = 8'h77; + assign inv_sbox[8'hf6] = 8'hd6; + assign inv_sbox[8'hf7] = 8'h26; + assign inv_sbox[8'hf8] = 8'he1; + assign inv_sbox[8'hf9] = 8'h69; + assign inv_sbox[8'hfa] = 8'h14; + assign inv_sbox[8'hfb] = 8'h63; + assign inv_sbox[8'hfc] = 8'h55; + assign inv_sbox[8'hfd] = 8'h21; + assign inv_sbox[8'hfe] = 8'h0c; + assign inv_sbox[8'hff] = 8'h7d; + +endmodule // aes_inv_sbox + +//====================================================================== +// EOF aes_inv_sbox.v +//====================================================================== diff --git a/src/rtl/aes_key_mem.v b/src/rtl/aes_key_mem.v new file mode 100644 index 0000000..496fc08 --- /dev/null +++ b/src/rtl/aes_key_mem.v @@ -0,0 +1,454 @@ +//====================================================================== +// +// aes_key_mem.v +// ------------- +// The AES key memort including round key generator. +// +// +// Author: Joachim Strombergson +// Copyright (c) 2014, NORDUnet A/S +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// - Redistributions of source code must retain the above copyright notice, +// this list of conditions and the following disclaimer. +// +// - Redistributions in binary form must reproduce the above copyright +// notice, this list of conditions and the following disclaimer in the +// documentation and/or other materials provided with the distribution. +// +// - Neither the name of the NORDUnet nor the names of its contributors may +// be used to endorse or promote products derived from this software +// without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +// IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +// TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +// PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +// TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +//====================================================================== + +module aes_key_mem( + input wire clk, + input wire reset_n, + + input wire [255 : 0] key, + input wire keylen, + input wire init, + + input wire [3 : 0] round, + output wire [127 : 0] round_key, + output wire ready, + + + output wire [31 : 0] sboxw, + input wire [31 : 0] new_sboxw + ); + + + //---------------------------------------------------------------- + // Parameters. + //---------------------------------------------------------------- + localparam AES_128_BIT_KEY = 1'h0; + localparam AES_256_BIT_KEY = 1'h1; + + localparam AES_128_NUM_ROUNDS = 4'ha; + localparam AES_256_NUM_ROUNDS = 4'he; + + localparam CTRL_IDLE = 3'h0; + localparam CTRL_INIT = 3'h1; + localparam CTRL_GENERATE = 3'h2; + localparam CTRL_DONE = 3'h3; + + + //---------------------------------------------------------------- + // Registers. + //---------------------------------------------------------------- + reg [127 : 0] key_mem [0 : 14]; + reg [127 : 0] key_mem_new; + reg key_mem_we; + + reg [127 : 0] prev_key0_reg; + reg [127 : 0] prev_key0_new; + reg prev_key0_we; + + reg [127 : 0] prev_key1_reg; + reg [127 : 0] prev_key1_new; + reg prev_key1_we; + + reg [3 : 0] round_ctr_reg; + reg [3 : 0] round_ctr_new; + reg round_ctr_rst; + reg round_ctr_inc; + reg round_ctr_we; + + reg [2 : 0] key_mem_ctrl_reg; + reg [2 : 0] key_mem_ctrl_new; + reg key_mem_ctrl_we; + + reg ready_reg; + reg ready_new; + reg ready_we; + + reg [7 : 0] rcon_reg; + reg [7 : 0] rcon_new; + reg rcon_we; + reg rcon_set; + reg rcon_next; + + + //---------------------------------------------------------------- + // Wires. + //---------------------------------------------------------------- + reg [31 : 0] tmp_sboxw; + + reg round_key_update; + reg [3 : 0] num_rounds; + + reg [127 : 0] tmp_round_key; + + + //---------------------------------------------------------------- + // Concurrent assignments for ports. + //---------------------------------------------------------------- + assign round_key = tmp_round_key; + assign ready = ready_reg; + assign sboxw = tmp_sboxw; + + + //---------------------------------------------------------------- + // reg_update + // + // Update functionality for all registers in the core. + // All registers are positive edge triggered with asynchronous + // active low reset. All registers have write enable. + //---------------------------------------------------------------- + always @ (posedge clk or negedge reset_n) + begin: reg_update + integer i; + + if (!reset_n) + begin + for (i = 0 ; i < 4 ; i = i + 1) + key_mem [i] <= 128'h0; + + rcon_reg <= 8'h0; + ready_reg <= 1'b0; + round_ctr_reg <= 4'h0; + key_mem_ctrl_reg <= CTRL_IDLE; + end + else + begin + if (round_ctr_we) + round_ctr_reg <= round_ctr_new; + + if (ready_we) + ready_reg <= ready_new; + + if (rcon_we) + rcon_reg <= rcon_new; + + if (key_mem_we) + key_mem[round_ctr_reg] <= key_mem_new; + + if (prev_key0_we) + prev_key0_reg <= prev_key0_new; + + if (prev_key1_we) + prev_key1_reg <= prev_key1_new; + + if (key_mem_ctrl_we) + key_mem_ctrl_reg <= key_mem_ctrl_new; + end + end // reg_update + + + //---------------------------------------------------------------- + // key_mem_read + // + // Combinational read port for the key memory. + //---------------------------------------------------------------- + always @* + begin : key_mem_read + tmp_round_key = key_mem[round]; + end // key_mem_read + + + //---------------------------------------------------------------- + // round_key_gen + // + // The round key generator logic for AES-128 and AES-256. + //---------------------------------------------------------------- + always @* + begin: round_key_gen + reg [31 : 0] w0, w1, w2, w3, w4, w5, w6, w7; + reg [31 : 0] k0, k1, k2, k3; + reg [31 : 0] rconw, rotstw, tw, trw; + + // Default assignments. + key_mem_new = 128'h0; + key_mem_we = 1'b0; + prev_key0_new = 128'h0; + prev_key0_we = 1'b0; + prev_key1_new = 128'h0; + prev_key1_we = 1'b0; + + k0 = 32'h0; + k1 = 32'h0; + k2 = 32'h0; + k3 = 32'h0; + + rcon_set = 1'b1; + rcon_next = 1'b0; + + // Extract words and calculate intermediate values. + // Perform rotation of sbox word etc. + w0 = prev_key0_reg[127 : 096]; + w1 = prev_key0_reg[095 : 064]; + w2 = prev_key0_reg[063 : 032]; + w3 = prev_key0_reg[031 : 000]; + + w4 = prev_key1_reg[127 : 096]; + w5 = prev_key1_reg[095 : 064]; + w6 = prev_key1_reg[063 : 032]; + w7 = prev_key1_reg[031 : 000]; + + rconw = {rcon_reg, 24'h0}; + tmp_sboxw = w7; + rotstw = {new_sboxw[23 : 00], new_sboxw[31 : 24]}; + trw = rotstw ^ rconw; + tw = new_sboxw; + + // Generate the specific round keys. + if (round_key_update) + begin + rcon_set = 1'b0; + key_mem_we = 1'b1; + case (keylen) + AES_128_BIT_KEY: + begin + if (round_ctr_reg == 0) + begin + key_mem_new = key[255 : 128]; + prev_key1_new = key[255 : 128]; + prev_key1_we = 1'b1; + rcon_next = 1'b1; + end + else + begin + k0 = w4 ^ trw; + k1 = w5 ^ w4 ^ trw; + k2 = w6 ^ w5 ^ w4 ^ trw; + k3 = w7 ^ w6 ^ w5 ^ w4 ^ trw; + + key_mem_new = {k0, k1, k2, k3}; + prev_key1_new = {k0, k1, k2, k3}; + prev_key1_we = 1'b1; + rcon_next = 1'b1; + end + end + + AES_256_BIT_KEY: + begin + if (round_ctr_reg == 0) + begin + key_mem_new = key[255 : 128]; + prev_key0_new = key[255 : 128]; + prev_key0_we = 1'b1; + end + else if (round_ctr_reg == 1) + begin + key_mem_new = key[127 : 0]; + prev_key1_new = key[127 : 0]; + prev_key1_we = 1'b1; + rcon_next = 1'b1; + end + else + begin + if (round_ctr_reg[0] == 0) + begin + k0 = w0 ^ trw; + k1 = w1 ^ w0 ^ trw; + k2 = w2 ^ w1 ^ w0 ^ trw; + k3 = w3 ^ w2 ^ w1 ^ w0 ^ trw; + end + else + begin + k0 = w0 ^ tw; + k1 = w1 ^ w0 ^ tw; + k2 = w2 ^ w1 ^ w0 ^ tw; + k3 = w3 ^ w2 ^ w1 ^ w0 ^ tw; + rcon_next = 1'b1; + end + + // Store the generated round keys. + key_mem_new = {k0, k1, k2, k3}; + prev_key1_new = {k0, k1, k2, k3}; + prev_key1_we = 1'b1; + prev_key0_new = prev_key1_reg; + prev_key0_we = 1'b1; + end + end + + default: + begin + end + endcase // case (keylen) + end + end // round_key_gen + + + //---------------------------------------------------------------- + // rcon_logic + // + // Caclulates the rcon value for the different key expansion + // iterations. + //---------------------------------------------------------------- + always @* + begin : rcon_logic + reg [7 : 0] tmp_rcon; + rcon_new = 8'h00; + rcon_we = 1'b0; + + tmp_rcon = {rcon_reg[6 : 0], 1'b0} ^ (8'h1b & {8{rcon_reg[7]}}); + + if (rcon_set) + begin + rcon_new = 8'h8d; + rcon_we = 1'b1; + end + + if (rcon_next) + begin + rcon_new = tmp_rcon[7 : 0]; + rcon_we = 1'b1; + end + end + + + //---------------------------------------------------------------- + // round_ctr + // + // The round counter logic with increase and reset. + //---------------------------------------------------------------- + always @* + begin : round_ctr + round_ctr_new = 4'h0; + round_ctr_we = 1'b0; + + if (round_ctr_rst) + begin + round_ctr_new = 4'h0; + round_ctr_we = 1'b1; + end + + else if (round_ctr_inc) + begin + round_ctr_new = round_ctr_reg + 1'b1; + round_ctr_we = 1'b1; + end + end + + + //---------------------------------------------------------------- + // num_rounds_logic + // + // Logic to select the number of rounds to generate keys for + //---------------------------------------------------------------- + always @* + begin : num_rounds_logic + num_rounds = 4'h0; + + case (keylen) + AES_128_BIT_KEY: + begin + num_rounds = AES_128_NUM_ROUNDS; + end + + AES_256_BIT_KEY: + begin + num_rounds = AES_256_NUM_ROUNDS; + end + + default: + begin + end + endcase // case (keylen) + end + + + //---------------------------------------------------------------- + // key_mem_ctrl + // + // + // The FSM that controls the round key generation. + //---------------------------------------------------------------- + always @* + begin: key_mem_ctrl + // Default assignments. + ready_new = 1'b0; + ready_we = 1'b0; + round_key_update = 1'b0; + round_ctr_rst = 1'b0; + round_ctr_inc = 1'b0; + key_mem_ctrl_new = CTRL_IDLE; + key_mem_ctrl_we = 1'b0; + + case(key_mem_ctrl_reg) + CTRL_IDLE: + begin + if (init) + begin + ready_new = 1'b0; + ready_we = 1'b1; + key_mem_ctrl_new = CTRL_INIT; + key_mem_ctrl_we = 1'b1; + end + end + + CTRL_INIT: + begin + round_ctr_rst = 1'b1; + key_mem_ctrl_new = CTRL_GENERATE; + key_mem_ctrl_we = 1'b1; + end + + CTRL_GENERATE: + begin + round_ctr_inc = 1'b1; + round_key_update = 1'b1; + if (round_ctr_reg == num_rounds) + begin + key_mem_ctrl_new = CTRL_DONE; + key_mem_ctrl_we = 1'b1; + end + end + + CTRL_DONE: + begin + ready_new = 1'b1; + ready_we = 1'b1; + key_mem_ctrl_new = CTRL_IDLE; + key_mem_ctrl_we = 1'b1; + end + + default: + begin + end + endcase // case (key_mem_ctrl_reg) + + end // key_mem_ctrl +endmodule // aes_key_mem + +//====================================================================== +// EOF aes_key_mem.v +//====================================================================== diff --git a/src/rtl/aes_sbox.v b/src/rtl/aes_sbox.v new file mode 100644 index 0000000..09ba129 --- /dev/null +++ b/src/rtl/aes_sbox.v @@ -0,0 +1,325 @@ +//====================================================================== +// +// aes_sbox.v +// ---------- +// The AES S-box. Basically a 256 Byte ROM. This implementation +// contains four parallel S-boxes to handle a 32 bit word. +// +// +// Copyright (c) 2013 NORDUnet A/S +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// - Redistributions of source code must retain the above copyright notice, +// this list of conditions and the following disclaimer. +// +// - Redistributions in binary form must reproduce the above copyright +// notice, this list of conditions and the following disclaimer in the +// documentation and/or other materials provided with the distribution. +// +// - Neither the name of the NORDUnet nor the names of its contributors may +// be used to endorse or promote products derived from this software +// without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +// IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +// TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A +// PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +// TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +// PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +// LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +// NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +//====================================================================== + +module aes_sbox( + input wire [31 : 0] sboxw, + output wire [31 : 0] new_sboxw + ); + + + //---------------------------------------------------------------- + // The sbox array. + //---------------------------------------------------------------- + wire [7 : 0] sbox [0 : 255]; + + + //---------------------------------------------------------------- + // Four parallel muxes. + //---------------------------------------------------------------- + assign new_sboxw[31 : 24] = sbox[sboxw[31 : 24]]; + assign new_sboxw[23 : 16] = sbox[sboxw[23 : 16]]; + assign new_sboxw[15 : 08] = sbox[sboxw[15 : 08]]; + assign new_sboxw[07 : 00] = sbox[sboxw[07 : 00]]; + + + //---------------------------------------------------------------- + // Creating the sbox array contents. + //---------------------------------------------------------------- + assign sbox[8'h00] = 8'h63; + assign sbox[8'h01] = 8'h7c; + assign sbox[8'h02] = 8'h77; + assign sbox[8'h03] = 8'h7b; + assign sbox[8'h04] = 8'hf2; + assign sbox[8'h05] = 8'h6b; + assign sbox[8'h06] = 8'h6f; + assign sbox[8'h07] = 8'hc5; + assign sbox[8'h08] = 8'h30; + assign sbox[8'h09] = 8'h01; + assign sbox[8'h0a] = 8'h67; + assign sbox[8'h0b] = 8'h2b; + assign sbox[8'h0c] = 8'hfe; + assign sbox[8'h0d] = 8'hd7; + assign sbox[8'h0e] = 8'hab; + assign sbox[8'h0f] = 8'h76; + assign sbox[8'h10] = 8'hca; + assign sbox[8'h11] = 8'h82; + assign sbox[8'h12] = 8'hc9; + assign sbox[8'h13] = 8'h7d; + assign sbox[8'h14] = 8'hfa; + assign sbox[8'h15] = 8'h59; + assign sbox[8'h16] = 8'h47; + assign sbox[8'h17] = 8'hf0; + assign sbox[8'h18] = 8'had; + assign sbox[8'h19] = 8'hd4; + assign sbox[8'h1a] = 8'ha2; + assign sbox[8'h1b] = 8'haf; + assign sbox[8'h1c] = 8'h9c; + assign sbox[8'h1d] = 8'ha4; + assign sbox[8'h1e] = 8'h72; + assign sbox[8'h1f] = 8'hc0; + assign sbox[8'h20] = 8'hb7; + assign sbox[8'h21] = 8'hfd; + assign sbox[8'h22] = 8'h93; + assign sbox[8'h23] = 8'h26; + assign sbox[8'h24] = 8'h36; + assign sbox[8'h25] = 8'h3f; + assign sbox[8'h26] = 8'hf7; + assign sbox[8'h27] = 8'hcc; + assign sbox[8'h28] = 8'h34; + assign sbox[8'h29] = 8'ha5; + assign sbox[8'h2a] = 8'he5; + assign sbox[8'h2b] = 8'hf1; + assign sbox[8'h2c] = 8'h71; + assign sbox[8'h2d] = 8'hd8; + assign sbox[8'h2e] = 8'h31; + assign sbox[8'h2f] = 8'h15; + assign sbox[8'h30] = 8'h04; + assign sbox[8'h31] = 8'hc7; + assign sbox[8'h32] = 8'h23; + assign sbox[8'h33] = 8'hc3; + assign sbox[8'h34] = 8'h18; + assign sbox[8'h35] = 8'h96; + assign sbox[8'h36] = 8'h05; + assign sbox[8'h37] = 8'h9a; + assign sbox[8'h38] = 8'h07; + assign sbox[8'h39] = 8'h12; + assign sbox[8'h3a] = 8'h80; + assign sbox[8'h3b] = 8'he2; + assign sbox[8'h3c] = 8'heb; + assign sbox[8'h3d] = 8'h27; + assign sbox[8'h3e] = 8'hb2; + assign sbox[8'h3f] = 8'h75; + assign sbox[8'h40] = 8'h09; + assign sbox[8'h41] = 8'h83; + assign sbox[8'h42] = 8'h2c; + assign sbox[8'h43] = 8'h1a; + assign sbox[8'h44] = 8'h1b; + assign sbox[8'h45] = 8'h6e; + assign sbox[8'h46] = 8'h5a; + assign sbox[8'h47] = 8'ha0; + assign sbox[8'h48] = 8'h52; + assign sbox[8'h49] = 8'h3b; + assign sbox[8'h4a] = 8'hd6; + assign sbox[8'h4b] = 8'hb3; + assign sbox[8'h4c] = 8'h29; + assign sbox[8'h4d] = 8'he3; + assign sbox[8'h4e] = 8'h2f; + assign sbox[8'h4f] = 8'h84; + assign sbox[8'h50] = 8'h53; + assign sbox[8'h51] = 8'hd1; + assign sbox[8'h52] = 8'h00; + assign sbox[8'h53] = 8'hed; + assign sbox[8'h54] = 8'h20; + assign sbox[8'h55] = 8'hfc; + assign sbox[8'h56] = 8'hb1; + assign sbox[8'h57] = 8'h5b; + assign sbox[8'h58] = 8'h6a; + assign sbox[8'h59] = 8'hcb; + assign sbox[8'h5a] = 8'hbe; + assign sbox[8'h5b] = 8'h39; + assign sbox[8'h5c] = 8'h4a; + assign sbox[8'h5d] = 8'h4c; + assign sbox[8'h5e] = 8'h58; + assign sbox[8'h5f] = 8'hcf; + assign sbox[8'h60] = 8'hd0; + assign sbox[8'h61] = 8'hef; + assign sbox[8'h62] = 8'haa; + assign sbox[8'h63] = 8'hfb; + assign sbox[8'h64] = 8'h43; + assign sbox[8'h65] = 8'h4d; + assign sbox[8'h66] = 8'h33; + assign sbox[8'h67] = 8'h85; + assign sbox[8'h68] = 8'h45; + assign sbox[8'h69] = 8'hf9; + assign sbox[8'h6a] = 8'h02; + assign sbox[8'h6b] = 8'h7f; + assign sbox[8'h6c] = 8'h50; + assign sbox[8'h6d] = 8'h3c; + assign sbox[8'h6e] = 8'h9f; + assign sbox[8'h6f] = 8'ha8; + assign sbox[8'h70] = 8'h51; + assign sbox[8'h71] = 8'ha3; + assign sbox[8'h72] = 8'h40; + assign sbox[8'h73] = 8'h8f; + assign sbox[8'h74] = 8'h92; + assign sbox[8'h75] = 8'h9d; + assign sbox[8'h76] = 8'h38; + assign sbox[8'h77] = 8'hf5; + assign sbox[8'h78] = 8'hbc; + assign sbox[8'h79] = 8'hb6; + assign sbox[8'h7a] = 8'hda; + assign sbox[8'h7b] = 8'h21; + assign sbox[8'h7c] = 8'h10; + assign sbox[8'h7d] = 8'hff; + assign sbox[8'h7e] = 8'hf3; + assign sbox[8'h7f] = 8'hd2; + assign sbox[8'h80] = 8'hcd; + assign sbox[8'h81] = 8'h0c; + assign sbox[8'h82] = 8'h13; + assign sbox[8'h83] = 8'hec; + assign sbox[8'h84] = 8'h5f; + assign sbox[8'h85] = 8'h97; + assign sbox[8'h86] = 8'h44; + assign sbox[8'h87] = 8'h17; + assign sbox[8'h88] = 8'hc4; + assign sbox[8'h89] = 8'ha7; + assign sbox[8'h8a] = 8'h7e; + assign sbox[8'h8b] = 8'h3d; + assign sbox[8'h8c] = 8'h64; + assign sbox[8'h8d] = 8'h5d; + assign sbox[8'h8e] = 8'h19; + assign sbox[8'h8f] = 8'h73; + assign sbox[8'h90] = 8'h60; + assign sbox[8'h91] = 8'h81; + assign sbox[8'h92] = 8'h4f; + assign sbox[8'h93] = 8'hdc; + assign sbox[8'h94] = 8'h22; + assign sbox[8'h95] = 8'h2a; + assign sbox[8'h96] = 8'h90; + assign sbox[8'h97] = 8'h88; + assign sbox[8'h98] = 8'h46; + assign sbox[8'h99] = 8'hee; + assign sbox[8'h9a] = 8'hb8; + assign sbox[8'h9b] = 8'h14; + assign sbox[8'h9c] = 8'hde; + assign sbox[8'h9d] = 8'h5e; + assign sbox[8'h9e] = 8'h0b; + assign sbox[8'h9f] = 8'hdb; + assign sbox[8'ha0] = 8'he0; + assign sbox[8'ha1] = 8'h32; + assign sbox[8'ha2] = 8'h3a; + assign sbox[8'ha3] = 8'h0a; + assign sbox[8'ha4] = 8'h49; + assign sbox[8'ha5] = 8'h06; + assign sbox[8'ha6] = 8'h24; + assign sbox[8'ha7] = 8'h5c; + assign sbox[8'ha8] = 8'hc2; + assign sbox[8'ha9] = 8'hd3; + assign sbox[8'haa] = 8'hac; + assign sbox[8'hab] = 8'h62; + assign sbox[8'hac] = 8'h91; + assign sbox[8'had] = 8'h95; + assign sbox[8'hae] = 8'he4; + assign sbox[8'haf] = 8'h79; + assign sbox[8'hb0] = 8'he7; + assign sbox[8'hb1] = 8'hc8; + assign sbox[8'hb2] = 8'h37; + assign sbox[8'hb3] = 8'h6d; + assign sbox[8'hb4] = 8'h8d; + assign sbox[8'hb5] = 8'hd5; + assign sbox[8'hb6] = 8'h4e; + assign sbox[8'hb7] = 8'ha9; + assign sbox[8'hb8] = 8'h6c; + assign sbox[8'hb9] = 8'h56; + assign sbox[8'hba] = 8'hf4; + assign sbox[8'hbb] = 8'hea; + assign sbox[8'hbc] = 8'h65; + assign sbox[8'hbd] = 8'h7a; + assign sbox[8'hbe] = 8'hae; + assign sbox[8'hbf] = 8'h08; + assign sbox[8'hc0] = 8'hba; + assign sbox[8'hc1] = 8'h78; + assign sbox[8'hc2] = 8'h25; + assign sbox[8'hc3] = 8'h2e; + assign sbox[8'hc4] = 8'h1c; + assign sbox[8'hc5] = 8'ha6; + assign sbox[8'hc6] = 8'hb4; + assign sbox[8'hc7] = 8'hc6; + assign sbox[8'hc8] = 8'he8; + assign sbox[8'hc9] = 8'hdd; + assign sbox[8'hca] = 8'h74; + assign sbox[8'hcb] = 8'h1f; + assign sbox[8'hcc] = 8'h4b; + assign sbox[8'hcd] = 8'hbd; + assign sbox[8'hce] = 8'h8b; + assign sbox[8'hcf] = 8'h8a; + assign sbox[8'hd0] = 8'h70; + assign sbox[8'hd1] = 8'h3e; + assign sbox[8'hd2] = 8'hb5; + assign sbox[8'hd3] = 8'h66; + assign sbox[8'hd4] = 8'h48; + assign sbox[8'hd5] = 8'h03; + assign sbox[8'hd6] = 8'hf6; + assign sbox[8'hd7] = 8'h0e; + assign sbox[8'hd8] = 8'h61; + assign sbox[8'hd9] = 8'h35; + assign sbox[8'hda] = 8'h57; + assign sbox[8'hdb] = 8'hb9; + assign sbox[8'hdc] = 8'h86; + assign sbox[8'hdd] = 8'hc1; + assign sbox[8'hde] = 8'h1d; + assign sbox[8'hdf] = 8'h9e; + assign sbox[8'he0] = 8'he1; + assign sbox[8'he1] = 8'hf8; + assign sbox[8'he2] = 8'h98; + assign sbox[8'he3] = 8'h11; + assign sbox[8'he4] = 8'h69; + assign sbox[8'he5] = 8'hd9; + assign sbox[8'he6] = 8'h8e; + assign sbox[8'he7] = 8'h94; + assign sbox[8'he8] = 8'h9b; + assign sbox[8'he9] = 8'h1e; + assign sbox[8'hea] = 8'h87; + assign sbox[8'heb] = 8'he9; + assign sbox[8'hec] = 8'hce; + assign sbox[8'hed] = 8'h55; + assign sbox[8'hee] = 8'h28; + assign sbox[8'hef] = 8'hdf; + assign sbox[8'hf0] = 8'h8c; + assign sbox[8'hf1] = 8'ha1; + assign sbox[8'hf2] = 8'h89; + assign sbox[8'hf3] = 8'h0d; + assign sbox[8'hf4] = 8'hbf; + assign sbox[8'hf5] = 8'he6; + assign sbox[8'hf6] = 8'h42; + assign sbox[8'hf7] = 8'h68; + assign sbox[8'hf8] = 8'h41; + assign sbox[8'hf9] = 8'h99; + assign sbox[8'hfa] = 8'h2d; + assign sbox[8'hfb] = 8'h0f; + assign sbox[8'hfc] = 8'hb0; + assign sbox[8'hfd] = 8'h54; + assign sbox[8'hfe] = 8'hbb; + assign sbox[8'hff] = 8'h16; + +endmodule // aes_sbox + +//====================================================================== +// EOF aes_sbox.v +//====================================================================== |