Professional Documents
Culture Documents
Security IP 96 - HW4.6 - Hardware Reference and Programmer Manual - RevB
Security IP 96 - HW4.6 - Hardware Reference and Programmer Manual - RevB
Protocol-IP-96 HW4.6
Document Revision: B
Document Date: 2022-03-01
Document Number: 007-096460-207
Document Status: Accepted
Table of Contents
List of Tables
Table 1 Features ................................................................................................................................................ 19
Table 2 Supported crypto / hash combinations ................................................................................................ 23
Table 3 Maximum throughput figures (at 500 MHz) ......................................................................................... 26
Table 4 Maximum throughput figures for Low gatecount (at 500 MHz) ........................................................... 29
Table 5 Embedded standard IP cores ................................................................................................................ 33
Table 6 Gate counts for all standard configurations ......................................................................................... 34
Table 7 Gate counts for all low gatecount configurations ................................................................................. 35
Table 8 Memories, depending on interface ...................................................................................................... 35
Table 9 Clocks and Clock enables signals........................................................................................................... 39
Table 10 EIP-96 Interface Signal Descriptions ..................................................................................................... 42
Table 11 EIP-96-f Interface Signal Descriptions ................................................................................................... 53
Table 12 Context fetch control ............................................................................................................................ 70
Table 13 Relation between ‘Type of Destination’ and ‘Type of Packet’ fields .................................................... 73
Table 14 PRNG Performance ............................................................................................................................... 76
Table 15 IV Register Usage .................................................................................................................................. 81
Table 16 Selecting IV Source using Input Token Control Word ........................................................................... 83
Table 17 XTS tweak value load options ............................................................................................................... 94
Table 18 Reduced bitmask coding ....................................................................................................................... 96
Table 19 Instruction Operation Codes ............................................................................................................... 101
Table 20 Types of destination ............................................................................................................................ 102
Table 21 Padding Values for INSERT Instruction ............................................................................................... 104
Table 22 ‘Origin’ Field Encoding for Preprocessing Instructions ....................................................................... 104
Table 23 Little-endian representation of IPv4 header datagram ...................................................................... 121
Table 24 Little-endian representation of IPv6 header datagram ...................................................................... 122
Table 25 32-bit, little-endian representation of appended IPv4 data ............................................................... 124
Table 26 32-bit, little-endian representation of appended IPv6 data ............................................................... 125
Table 27 Typical ICV lengths for authentication operations with IPsec ............................................................ 128
Table 28 ‘Origin’ Field Encoding for CONTEXT_ACCESS Instruction .................................................................. 132
Table 29 Context Record Address Map for Context Fetch Mode = Address Mode ........................................... 135
Table 30 Decision Table for Address Set for Context Fetch Mode = Control Mode .......................................... 139
Table 31 Example Context Record Address Map for Context Fetch Mode = Control Mode ............................. 140
Table 32 Context Control Words layout ............................................................................................................ 140
Table 33 Coding of the context_size field.......................................................................................................... 143
Table 34 Result Token Error Codes .................................................................................................................... 155
Table 35 Result Token E14, E6, E5 and E4 errors .............................................................................................. 156
Table 36 Result Token Detailed Error Codes ..................................................................................................... 157
Table 37 Pad Info Fields Definition .................................................................................................................... 159
Table 38 Modes with inbound sequence number checking .............................................................................. 180
Table 39 Modes with inbound sequence number checking for extended masks ............................................. 181
Table 40 Modes with inbound sequence number checking for XL masks ......................................................... 181
Table 41 Register and Memory Map ................................................................................................................. 187
Table 42 AIC interrupt sources .......................................................................................................................... 210
Table 43 Supported IPv4 functionality .............................................................................................................. 219
Table 44 Supported IPv6 functionality .............................................................................................................. 219
Table 45 Supported ESP functionality ............................................................................................................... 220
List of Figures
Figure 1 Data stream naming convention........................................................................................................... 20
Figure 2 Two examples of EIP-96 system integration ......................................................................................... 22
Figure 3 General Data Processing Overview ....................................................................................................... 38
Figure 4 EIP-96 Block Diagram ............................................................................................................................ 41
Figure 5 FIFO input interface read timing ........................................................................................................... 47
Figure 6 FIFO output interface write timing ....................................................................................................... 47
Figure 7 TCM bus read timing ............................................................................................................................. 48
Figure 8 TCM bus write timing ............................................................................................................................ 48
Figure 9 DMA request/grant timing .................................................................................................................... 49
Figure 10 TCM master and DMA request interface cooperation ......................................................................... 50
Figure 11 Packet buffer RAM interface write timing ............................................................................................ 51
Figure 12 Packet buffer RAM read timing............................................................................................................. 51
Figure 13 EIP-96 external PRNG read timing ........................................................................................................ 52
Figure 14 EIP-96-f TCM bus read timing ............................................................................................................... 58
Figure 15 EIP-96-f TCM bus write timing .............................................................................................................. 58
Figure 16 EIP-96-f Token input FIFO interface read timing................................................................................... 59
Figure 17 EIP-96-f Token output FIFO interface write timing ............................................................................... 59
Figure 18 DMA request/grant timing .................................................................................................................... 60
Figure 19 TCM master and DMA request interface cooperation ......................................................................... 61
Figure 20 EIP-96-f Data Input FIFO interface timing diagram ............................................................................... 62
Figure 21 EIP-96-f Data Output FIFO interface timing diagram ............................................................................ 62
Figure 22 EIP-96-f Packet buffer RAM interface write timing ............................................................................... 63
Figure 23 EIP-96-f Packet buffer RAM read timing ............................................................................................... 63
Figure 24 EIP-96-f Example of address wrapping of the small buffer RAM access ............................................... 64
Figure 25 EIP-96-f external PRNG read timing ...................................................................................................... 64
Figure 26 Context update interface example timing diagram .............................................................................. 69
Figure 27 Packet processor with ToP=4’b000x ..................................................................................................... 72
Figure 28 Packet processor with ToP=4’b001x (left) and with ToP=4’b010x (right) ............................................. 72
Figure 29 Packet processor with ToP=4’b011x (left) and with ToP=4’b111x (right) ............................................. 73
Figure 30 Multiple encryption with triple DES using two keys. ............................................................................ 75
Figure 31 Schematic overview of the pseudo-random algorithm specified by ANSI X9.17 .................................. 76
Figure 32 Result IV using IV [2:0] = 3'b000 with IV format [11:10], XOR disabled ................................................ 84
Figure 33 Result IV using IV [2:0] = 3'b000, IV format [11:10]=’10’, XOR enabled ............................................... 85
Figure 34 Result IV using IV [2:0] = 3'b000, IV format [11:10]=’11’, XOR enabled ............................................... 85
Figure 35 Result IV using IV [2:0] = 3'b001 with IV format [11:10] , XOR disabled ............................................... 86
Figure 36 Result IV using IV [2:0] = 3'b010 with IV format [11:10] , XOR disabled ............................................... 86
Figure 37 Result IV using IV [2:0] = 3'b010, IV format [11:10]=’10’, XOR enabled ............................................... 87
Figure 38 Result IV using IV [2:0] = 3'b010, IV format [11:10]=’11’, XOR enabled ............................................... 87
Figure 39 Result IV using IV [2:0] = 3'b011 with IV format [11:10] , XOR disabled ............................................... 88
Figure 40 Result IV using IV [2:0] = 3'b100 with IV format [11:10] , XOR disabled ............................................... 88
Figure 41 Result IV using IV [2:0] = 3'b100, IV format [11:10]=’10’, XOR enabled ............................................... 89
Figure 42 Result IV using IV [2:0] = 3'b100, IV format [11:10]=’11’, XOR enabled ............................................... 89
Figure 43 Result IV using IV [2:0] = 3'b101 with IV format [11:10] , XOR disabled ............................................... 90
Figure 44 Result IV using IV [2:0] = 3'b110 with IV format [11:10] , XOR disabled ............................................... 90
Figure 45 Result IV using IV [2:0] = 3'b110, IV format [11:10]=’10’, XOR enabled ............................................... 91
Figure 46 Result IV using IV [2:0] = 3'b110, IV format [11:10]=’11’, XOR enabled ............................................... 91
Figure 47 Result IV using IV [2:0] = 3'b111 with IV format [11:10] , XOR disabled ............................................... 92
Figure 48 Result IV using IV [2:0] = 3'b111, IV format [11:10]=’10’, XOR enabled ............................................... 92
Figure 49 Result IV using IV [2:0] = 3'b111, IV format [11:10]=’11’, XOR enabled ............................................... 93
Figure 50 IPv4 (with checksum untouched) Instruction: datagram modifications ............................................. 111
Figure 51 IPv4_CHECKSUM Instruction: datagram modifications ...................................................................... 112
Figure 52 IPv6 Instruction: datagram modifications ........................................................................................... 113
Figure 53 IPv4 inserted field - insert_hash_result operation - AH header ICV field ........................................... 119
Figure 54 IPv4 appended field – insert_hash_result_operation – AH header ICV field...................................... 119
Figure 55 IPv4 header datagram ......................................................................................................................... 121
Figure 56 IPv6 header datagram ......................................................................................................................... 122
Figure 57 IPv4 updated fields - insert_result operation - ‘L’, ‘NH’, ‘CS’ and ‘P’ fields selected .......................... 123
Figure 58 IPv4 appended updates - insert_result operation - ‘L’, ‘NH’ and ‘CS’ fields selected ......................... 123
Figure 59 IPv6 updated fields - insert_result operation - ‘L’, ‘NH’ fields selected and ‘length’ = 0x28 .............. 124
Figure 60 IPv6 appended updates - insert_result operation - ‘L’, ‘NH’ fields selected and ‘length’ = 0x28 ....... 124
Figure 61 SHA-1, SHA-2, SHA-3 hash result endianness in context words ......................................................... 170
Figure 62 MD 5 hash result endiannes in context words ................................................................................... 172
Figure 63 Poly1305 MAC result endiannes in context words ............................................................................. 173
Figure 64 AES-GCM (GHASH) pre-calculation result endianness ........................................................................ 174
Figure 65 AES XCBC precalculation result endianness ........................................................................................ 175
Figure 66 Sequence number processing logic .................................................................................................... 179
Figure 67 EIP-96-cf Context FIFO interface timing diagram ................................................................................ 228
Figure 68 Key to timing diagrams ....................................................................................................................... 232
1 Introduction
1.1 Purpose
This manual describes the digital interfaces and signals used by the Protocol-IP-96 HW4.6 allowing the ASIC
designer to successfully integrate this IP into their design. This Embedded IP, also named EIP-96 is part of
Rambus Security IP modules that includes all formally known SafeXcel IP™ products from Inside Secure.
Hereafter the IP will be referred to as EIP-96.
To assist the software developer with programming the EIP-96 security features, this manual also provides
overviews, programming details on all supported token instructions, usage scenarios, and a complete map
of the internal registers and memory spaces.
For an extensive set of example tokens, refer to the EIP-96 Operations Manual with Token Examples [2]
document.
This document is not intended to be an architecture specification. Descriptions of the internal submodules
of the EIP-96 are outside of the scope of this manual.
1.2 Scope
This document covers the EIP-96 and EIP-96-f product features, functionality description, configuration
options, and performance and gate count figures. The detailed protocol operations are described in
separate documents. Details of sub-modules are out of the scope of this document.
The EIP-96 referenced to in this document has a superset of features that are available in the standard
configurations: EIP-96i, EIP-96ie, EIP-96is, and EIP-96ies. Differences between these configurations with
respect to the feature superset are indicated in this manual where applicable.
The EIP-96-f referenced in this document has a superset of features that are available in the ‘-
f’configurations: EIP-96i-f, EIP-96ie-f, EIP-96is-f, and EIP-96ies-f. Differences between these configurations
with respect to the standard EIP-96 configurations are indicated where applicable.
This information is correct at the time of document release. Rambus reserves the right to update the related
documents without updating this document. Please contact Rambus for the latest document revisions.
The preferred method for getting technical support is to use our online support system at
https://sipsupport.rambus.com. If you do not have an account yet for this system, please contact Rambus
technical support (sipsupport@rambus.com).
1.6 Conventions
Documentation conventions and terminology are described in Appendix F.1.
2.1 Features
The EIP-96 incorporates the following basic features for efficient processing of IPsec, SSL, TLS, DTLS, MACsec
and SRTP packets. See Table 1 below.
Table 1 Features
External interfaces IPv4 support
• DMA • Length field update
• TCM • Next header replacement
• FIFO • TTL decrement
Support of the following encryption algorithms Checksum update
• DES (ECB, CBC) IPv6 support
• 3DES (ECB, CBC) • Length field update
• AES-128/192/256 (ECB, CBC, CTR, ICM, CFB, OFB) • Next header replacement
• ARC4 (stateless, stateful) (EIP-96*s) • Hop-limit decrement
• Kasumi (basic and f8 (=UEA1)) (EIP-96*w) ESP support
• SNOW (128-EEA1 (=UEA2)) (EIP-96*w) • ESP header insertion / removal
• ZUC (basic and 128-EEA3 (=UEA3)) (EIP-96*w) • Using all available algorithms
• AES-XTS-128/192/256 (EIP-96*x) • Padding and de-padding
• ChaCha20 (EIP-96*b) • Next header retrieval
• SM4 (ECB, CBC, CTR, ICM, CFB, OFB) (EIP-96*c) • Extended sequence numbers and large mask
• BC0 (ECB, CBC, CTR, ICM, CFB, OFB) (EIP-96*c) • ICV appending / verification
Support of the following hash algorithms AH support
• CRC-32 • AH header insertion / removal
• MD5 (and HMAC) • Using all available hash algorithms
• SHA-1 (and HMAC) • Extended sequence numbers
• SHA-2: SHA-2241/SHA-2561 (and HMAC) • ICV update / verification
• SHA-2: SHA-3841/SHA-5121 (and HMAC) • IPv4 option header muting
(EIP-96*e) • IPv6 extension header muting
• SHA-3 (and HMAC, Keyed-hash) with digest lengths SSL/TLS/DTLS (excluding ARC4) support
224, 256, 384 and 512 (EIP-96*k) SSL/TLS/DTLS (including ARC4) support (EIP-96*s)
• AES-XCBC-MAC (all key sizes 128, 192 and 256-bit) • Header insertion / removal
• GHASH (used with AES-GCM) • Using all available algorithms
• Kasumi (f9 (=UIA1)) (EIP-96*w) • Padding and de-padding
• SNOW (128-EIA1 (=UIA2)) (EIP-96*w) • Sequence numbers
• ZUC (128-EIA3 (=UIA3)) (EIP-96*w) • MAC appending / verification
• Poly1305 (EIP-96*b) Standard 256-bit and 384-bit sequence number mask
• SM3 (and HMAC) (EIP-96*c) support. (EIP-96ies / EIP-96ieswx / EIP-96ieswxk)
Support of the following combined-mode algorithms Wireless algorithm support (EIP-96*w)
• AES-GCM/AES-GMAC (all key sizes 128, 192 and 256- • Basic integrity modes for 3GPP algorithms
bit) • Basic authentication modes for 3GPP algorithms
• AES-CCM (all key sizes 128, 192 and 256-bit) MACsec support
• ChaCha20-Poly1305 (basic and AEAD mode) • Header insertion / removal
(EIP-96*b) • Using AES-GCM/AES-GMAC
• Sequence numbers
• ICV appending / verification
1
In this document, SHA-224, SHA-256, SHA-384 and
SHA-512 refer to the SHA-2 algorithm with respectively
a digest length of 224, 256, 384 and 512 bit, as defined
by NIST in [FIPS Pub. 180-4].
outbound
RED Data data BLACK Data
(plaintext) inbound (encrypted)
data
Security
Boundary
DMA Context
CONTEXT
IN S M
CONTEXT DMA&TCM “Flow-through”
EIP-96-f
System Integration
Example
S 2TCM
TCM target
DMA controller
PACKET
I/O
S M
DMA
M PKT OUT
S
PACKET
RAM
M DMA Data In Data Out
System bus
PKT IN
DMA&TCM DMA&TCM
DMA Context
M CONTEXT DMA&TCM
“Look-a-Side”
CONTEXT
RAM S EIP-96 System Integration
S 2TCM Example
TCM target
OUTPUT
TOKEN
FIFO
* M is a master on the bus, S a slave (bridge and packet I/O can be both)
Figure 2 Two examples of EIP-96 system integration
The first and recommended scenario shows a flow-through implementation where both token and data are
cached in separate FIFOs. The EIP-96 reads the cached input tokens from the input token FIFO. DMA
requests for the related data blocks are setup, followed by sequential data writes from the input packet
FIFO to the EIP-96. As much data is written as is requested. When packet result data becomes available, the
EIP-96 requests (via DMA) the output packet FIFO to read data from the EIP-96 output buffer. When all
result data is read the packet result token is written to the result token FIFO. The EIP-96 is designed and
optimized for use in this type of system environment.
In the second example, the EIP-96 is connected as look-aside engine. In this scenario, the EIP-96 is used to
perform operations on packets from the packet RAM. Both original and result packets are in the same RAM.
Optionally the DMA request interfaces can be merged in one DMA engine. If a packet needs to be processed
by the EIP-96, the host writes a token to the token FIFO. When the EIP-96 finishes processing a packet, it
returns a result token in the result token FIFO.
2.7 Performance
The optimal performance of the EIP-96 will be met when multiple tokens are available for processing and
the fetching of context, input data or output data does not take longer than processing a packet.
The following requirements need to be met to have optimal performance figures:
1. When a packet is being processed, the next context needs to be fetched and at least some data of the
next packet must already be available before the current packet finishes processing.
2. During the processing of a packet, the previous packet must be read out of the result data RAM and its
token must be written to the result token FIFO before the current packet finishes processing.
3. In the standard EIP-96 the input data RAM may never become empty during processing of a packet. In
the EIP-96-f the external FIFO must always have data available while the engine is processing.
If these system requirements are met, the following optimal performance figures can be achieved.
Table 3 Maximum throughput figures (at 500 MHz)
Protocol Ciphe Hash Payloa Result Result Payload Packet Perfor
r d pkt size pkt throughpu throughpu mance
(bytes) (bytes) through t (Mbit/s) t (Mbit/s) (kpkts/sec
put )
(bits/clk)
IPsec ESP AES- SHA-12 9020 9080 11.4 [11.4] 5660 [5655] 5698 [5693] 78 [78]
outbound 128- 1436 1496 10.2 [10.1] 4872 [4847] 5075 [5050] 424 [422]
(IPv4 CBC
320 392 8.0 [8.0] 3282 [3232] 4021 [3960] 1282 [1263]
transport
-mode) 130 200 6.2 [6.1] 2016 [1970] 3101 [3030] 1938 [1894]
64 136 5.1 [5.0] 1196 [1164] 2542 [2473] 2336 [2273]
SHA2- 1436 1500 10.4 [6.9] 4952 [3340] 5172 [3480] 431 [291]
2561 320 396 8.5 [5.7] 3422 [2330] 4235 [2850] 1337 [910]
130 204 6.8 [4.5] 2149 [1460] 3372 [2260] 2066 [1413]
64 140 5.7 [3.7] 1293 [880] 2828 [1880] 2525 [1728]
AES- SHA-1 9020 9080 8.4 [8.4] 4183 [4180] 4211 [4208] 58 [58]
256-
64 136 4.8 [4.8] 1133 [1103] 2407 [2345] 2212 [2155]
CBC2
Triple SHA-1 1436 1488 3.5 1701 1763 148
DES- 320 376 3.4 1465 1721 572
CBC
130 184 3.3 1176 1665 1131
64 120 3.2 859 1611 1678
Table 4 Maximum throughput figures for Low gatecount (at 500 MHz)
Protocol Ciphe Hash Payloa Result Result Payload Packet Perfor
r d pkt size pkt throughpu throughpu mance
(bytes) (bytes) through t (Mbit/s) t (Mbit/s) (kpkts/sec
put )
(bits/clk)
IPsec ESP AES- SHA-1 9020 9080 6.2 3091 3111 43
outbound 128- 1436 1496 5.7 2715 2828 236
(IPv4 CBC2 320 392 4.8 1945 2383 760
transport
-mode) 130 200 3.9 1253 1928 1205
64 136 3.3 766 1629 1497
SHA2- 1436 1500 7.0 3343 3492 291
2561 320 396 5.8 2336 2891 912
3 Processing Overview
3.1 Processing Terms
This document makes frequent use of the terms ‘token’ and ‘context’. These terms refer to data structures
that the EIP-96 uses to perform packet processing operations. In IPsec, a context is a (packet independent)
data structure that contains key material and processing parameters associated with the processing of
packets that have been recognized (classified) to be sent through a specific IPsec tunnel. In IPsec
terminology, the Security Association (SA) structure that defines an IPsec tunnel is represented as the
context in the EIP-96. Because the EIP-96 can support more protocols than just IPsec, the EIP-96 context
contains more parameters than just the IPsec SA parameters. The term context is often said to describe a
packet transform. The term transform stems from the definition: if a packet is processed according to the
rules specified in the context, the packet is said to have been transformed by the EIP-96. Alternate terms for
the transformation of packets in this way are tunneling or encapsulation, which specifically refer to packet
transformations requiring the encryption of plaintext data, and the detunneling or decapsulation, the
reverse operation. Clearly, a context contains data that is not packet specific; multiple packets can be
processed (transformed) under the same context.
The term token refers to a data structure that is created for each (individual) packet. A token is a specific
data structure containing processing commands and instructions that the EIP-96 uses to process one
specific packet. Among other things, a token contains a pointer to a Context Record, as well as a number of
parameters extracted from the packet itself, for example, packet or packet header length, specific packet
header fields or offsets to such fields in the packet stream, that is, data that can change with each packet.
An EIP-96 token also contains ‘processing instructions’ used to control the detailed packet processing
operation performed by the EIP-96.
3.1.1 Tokens
The packet processing starts with providing a token to the EIP-96. From that moment, the EIP-96 starts
fetching the context and packet data autonomously. If the packet is processed, the result packet will be
stored and a result token is provided on an output interface.
The token provided to the EIP-96 must have at least four words: three words that constitute a minimum-
sized input token and one instruction word. The first three words contain pointers, options and packet
length. The next token words can contain instructions or data. The length of the input token is unlimited.
The order and sequence of instructions and data in the input token is restricted and is explained in Chapter
7. The result token can contain four to sixteen data words and contains the result-packet length, error flags,
packet result information and optionally meta data. See Chapter 10.
3.1.2 Context
The context data contains processing parameters and keying data. The first two words of each context
contain the options and information about the available fields in the context.
Note: For optimal performance, these first two context words (processing control words) can optionally
be located in the token so that the EIP-96 does not have to fetch them, reducing the context
information that the EIP-96 needs to fetch by, at least, 8 bytes.
The sequence of the different fields within a context is fixed, but not all fields need to be available. The
length of a field is variable and depends on the selected options and algorithms in the first two context
words. For optimal memory usage, all available fields are concatenated to each other.
Since multiple packets can use one context, a context can be reused. This means that the EIP-96 does not
always have to fetch a new context.
Figure 3
Output Context record optional Processing
Token input Input Pkt ptr (Next token)
pkt ptr pointer words Instructions
CONFIDENTIAL
General Data Processing Overview
Output
Output Pkt data transfer
packet data
Result token
Result Token
If ‘Optimal Context Update’ bit in ‘Token Control/Status Register’ (internal address 0x0, bit 16) is May start sooner
set, this dependency is released and the result token can be output in parallel with the context (see below)
data update (but only -after- packet processing was completed). This is only done (and useful) if
a new token is already available; in this case, packet processing can immediately commence for
the new packet without having to wait for the context data update to complete.
007-096460-207
Protocol-IP-96 HW4.6
38
Hardware Reference and Programmer Manual Rev. B
Security IP Protocol-IP-96 HW4.6
007-096460-207
Hardware Reference and Programmer Manual Rev. B
4 Architecture Overview
4.1 Introduction
This chapter describes all interfaces for both the standard EIP-96 and EIP-96-f. Section 4.2 describes the
clocking related signals, Section 4.3 describes the interfaces of standard EIP-96 configurations, Section 4.3.7
describes the EIP-96 configurations with streaming data interfaces, the EIP-96-f. Based on the customer’s
system the appropriate EIP-96 configuration must be selected. Refer to section 2.5 for details and system
integration examples for the two different EIP-96 configurations. Note that this chapter does not discuss the
impact of the size limitation of the data buffers. In the EIP-96-f configurations there is no input buffer and,
in case of a “small buffer” configuration, the output buffer is reduced in size from 2048 bytes to 320 bytes.
The effect of this size limitation of the output buffer is discussed in Section 4.4.8.
The remainder of this chapter (sections 4.4.9 and 4.6) describe context interface properties and the internal
modules of the EIP-96 and these are applicable to all configurations of the EIP-96.
4.2 Clocking
The EIP-96 provides clock enable signals to reduce power consumption, but does not contain the clock
switching logic itself. For verification purposes, clock gate models are provided in a separate EIP-96 shell-
level around the EIP-96 top-level module. These models are to be replaced with dedicated clock gates from
the target technology library by the integrator. Please refer to the EIP-96 Integration Manual [3] for details.
The EIP-96 has many clocks input signals. There is one global clock input clk and a number of individual clock
inputs to clock the cryptographic functions. These individual clocks must be all derivatives of the main clk,
meaning that the design is fully synchronous to one single clock. By using external clock switching, the
individual clocks can be enabled and disabled depending on the actual operation in progress, based on
information in the EIP-96 modules.
For details on the various clock signals and their enables, refer to Table 9.
ob_dpram_wdata_a[31:0]
Ib_dpram_wdata_a[31:0]
ob_dpram_rdata_b[31:0]
Ib_dpram_rdata_b[31:0]
ob_dpram_addr_a[8:0]
ob_dpram_addr_b[8:0]
Ib_dpram_addr_a[8:0]
Ib_dpram_addr_b[8:0]
ob_dpram_we_a[3:0]
Ib_dpram_cs_a
ob_dpram_cs_b
Ib_dpram_cs_b
ob_dpram_cs_
EIP96
tcm_di n_cs req tcm_do ut_cs
TCM TCM
tcm_di n_ad dr wb ls tcm_do ut_ad dr
DATA INPUT DATA OUTPUT
INTERFACE req da ta INTERFACE
tcm_di n_wd ata input req req output tcm_do ut_rda ta
di n_dma_req pre- wb ls ack post- do ut_dma_req
select
fetch da ta da ta store
DMA di n_dma_type processing da ta req req processing do ut_dma_type DMA
+ ack ack +
INPUT DATA di n_dma_in t_ad dr module ack wb ls wb ls module do ut_dma_in t_ad dr OUTPUT DATA
RAM packet processing RAM
REQUEST di n_dma_ext_ad dr da ta da ta do ut_dma_ext_ad dr
REQUEST
Control module Control
INTERFACE INTERFACE
di n_dma_gra nt ack ack do ut_dma_gra nt
context
data
tcm_ctx_cs
tcm_ctx_wri te
TCM tcm_ctx_ad dr TCM
CONTEXT context module
INTERFACE tcm_ctx_wd ata
control
control
control
control
control
data
tcm_ctx_rda ta
result
result
result
instr.
ctx_dma_req
token_wri te
DMA ctx_dma_type RESULT
token_ou t_do ne
CONTEXT ctx_dma_in t_ad dr
control module TOKEN
REQUEST ctx_dma_ext_ad dr token_da ta_ou t CONTROL
INTERFACE fifo_full
ctx_dma_gra nt INTERFACE
ctx_up d_ou t_wri te
token_in_done
token_data_in
tcm_sl_wdata
prn g_res_av
tcm_sl_rdata
prn g_res_rd
tcm_sl_write
tcm_sl_addr
ctx_sel_ack
ctx_sel_req
token_read
prn g_erro r
ctx_up d_id
fifo_empty
tcm_sl_cs
prn g_res
reset_n
interrupt
clk
T0 T1 T2 T3 T4 T5 T6 T7
clk
fifo_empty
token_in_done
token_read
T0 T1 T2 T3 T4 T5 T6 T7
clk
token_write
token_out_done
fifo_full
T0 T1 T2 T3 T4 T5 T6
clk
tcm_cs
tcm_write
T0 T1 T2 T3 T4 T5 T6
clk
tcm_cs
tcm_write
clk
dma_req
De-asserting the DMA grant signal on an active dma_req indicates that the requested DMA transfer is
active; the grant signal may not be reasserted (return to active) before the last data transfer for this DMA
request is complete. The DMA grant signal must be de-asserted immediately after acknowledging the
request and must remain inactive while the data is transferred. The EIP-96 expects that all addresses
starting from the DMA start address (dma_int_addr), and covered by the DMA transfer length, are written
to the EIP-96 (or read from the EIP-96) before the DMA grant signal is asserted.
The EIP-96 expects that a DMA request is granted on the positive clock edge while both dma_req and
dma_grant are ‘active’ (high) simultaneously.
In the figure below, ‘T1’ indicates the first clock cycle after dma_grant becoming inactive, that the core
could reassert the dma_req output. This means that if the external system keeps dma_grant high, the EIP-
96 expects that request to be granted the clock edge immediately following T1, when both dma_grant and
dma_req are asserted.
The dma_grant signal needs to be asserted for at least one cycle to indicate to the EIP-96 that the current
dma request is completed. So functionally (inside the EIP-96) the grant is also used to indicated the DMA
operation is completed and the EIP-96 received the requested data.
The tcm_cs signal for the first transfer may only be set to ‘1' at least one clock cycle after the clock cycle
where dma_grant is going low but can also be set a number of cycles later (see the Figure 10). As indicated,
the internal DMA address needs to be provided on the tcm_addr bus and incremented with four for each
individual access. Despite the use of these addresses, the EIP-96 will never read out-of-order or skip any
input or result data. However, for context accesses where result context data is stored in an external
memory location, the start address is most likely in the middle of context, since only a few fields require an
update. Additionally, the given dma_length may be lowered while a DMA transfer is active: this allows the
EIP-96 to shorten the ongoing DMA transfer based on information which is only available after the DMA
transfer has already started.
clk
dma_req T1
tcm_cs
When setting up a new packet data (din/dout) DMA request, the EIP-96 will keep track of the amount of
packet data read/written to determine the next offset from the packet pointer.
The value supplied on the ctx_dma_type[7,6,5,4,2,1,0] output signals are reserved and should be ignored
by the external system. The ctx_dma_type[3] signal indicates the required data transfer direction for
context data transfers. This signal is controlled by the “ Direction” bit, bit [11] of the CONTEXT_ACCESS token
instruction.
Clk
dpram_cs_a
Clk
dpram_cs_b
clk
prng_res_av
prng_res_rd
The three cases where the EIP-96-f needs to append result data are:
1. IPsec ESP inbound transport packets, where the IP header should be updated with length, checksum
and next header information after de-padding of the packet.
2. IPsec AH outbound packets, where the AH header should include the calculated ICV over the complete
packet.
3. IPsec ESP inbound tunnel packets, where the decapsulated IPv4 header should be updated with
Checksum bits after de-padding of the packet, as a result of updating the ECN bits.
In these cases, the EIP-96-f with small buffers corrects the packet, only with <empty> gaps in field locations
that need updating.
Please refer to Section 8.6.1 for details on the IRR instruction and data formatting of packet headers and
appended data. Only these cases, where data must be appended, apply to this configuration having a small
data output buffer.
T0 T1 T2 T3 T4 T5 T6
clk
tcm_cs
tcm_write
T0 T1 T2 T3 T4 T5 T6
clk
tcm_cs
tcm_write
Note: This interface is equal to the target interface of the standard EIP-96.
T0 T1 T2 T3 T4 T5 T6 T7
clk
fifo_empty
token_in_done
token_read
T0 T1 T2 T3 T4 T5 T6 T7
clk
token_write
token_out_done
fifo_full
clk
dma_req
The EIP-96-f expects that a DMA request is granted on the positive clock edge while both dma_req and
dma_grant are active (high) simultaneously.
In the figure below, ‘T1’ indicates the first clock cycle after dma_grant becoming inactive, that the core
could reassert the dma_req output. This means that if the external system keeps dma_grant high, the EIP-
96-f expects that request to be granted the clock edge immediately following T1, when both dma_grant and
dma_req are asserted.
The dma_grant signal needs to be asserted for at least one cycle to indicate to the EIP-96 that the current
dma request is completed. So functionally (inside the EIP-96-f) the grant is also used to indicated the DMA
operation is completed and the EIP-96-f received the requested data.
The tcm_cs signal for the first transfer may only be set to ‘1' at least one clock cycle after the clock cycle
where dma_grant is going low but can also be set a number of cycles later (see the Figure 10). As indicated,
the internal DMA address needs to be provided on the tcm_addr bus and incremented with four for each
individual access. Despite the use of these addresses, the EIP-96-f will never read out-of-order or skip any
input or result data. However, for context accesses where result context data is stored in an external
memory location, the start address is most likely in the middle of context, since only a few fields require an
update.
clk
dma_req T1
tcm_cs
T0 T1 T2 T3 T4 T5 T6 T7
clk
data_out_write
data_out_done
data_out_fifo_full
data_out_align[1:0] 0 Data 3
0 0
valid bytes
Note that the packet data is always aligned to a 32-bit boundary, even if the previous packet ended
misaligned. Since the EIP-96 can append result data to the packet (e.g. ICV for AH outbound and IPv4 header
information for ESP inbound transport), the EIP-96 can provide more data on the output than indicated by
the result packet length. The amount of appended result data is not included in the result packet length, but
indicated by a dedicated field in the result token. Please refer to Chapter 10 for details on the result token
format.
Clk
dpram_cs_a
Clk
dpram_cs_b
For FIFO interface configurations with small buffers, the output buffer size is restricted to 320 bytes. This
means that the internal address range of the data output RAM is limited from 7’h00 up to 7’h4F (or in
decimal numbers, in the range of 0 and 79 32-bit words, allowing access to 80 32-bit words). Consequently,
the FIFO interface configuration with small buffers does not generate addresses outside this range on the
Packet Output Buffer RAM Interface. Figure 24 shows an example of this wrapping at the read side of the
FIFO.
T-1 T0 T1 T2 T3 T4 T5 T6 T7 T8 T9 T10
clk
ob_dpram_cs_b
ob_dpram_rdata_b[31:0] D0 D1 D2 D3 D4
Address is wrapped.
It exceeds 0x4F after the increment with one
Figure 24 EIP-96-f Example of address wrapping of the small buffer RAM access
clk
prng_res_av
prng_res_rd
Attention: The use of the context update interface is mandatory when instantiating multiple EIP-96 cores
in one design and these instantiations process packets for the same context (SA-record).
Context sharing is only applicable for protocol (IPsec, DTLS) type of sequence number
generation and checking plus sequence number and sequence number masks updates.
Therefore, operations that inherit other context information from packet to packet must be
processed on the same instantiation of the EIP-96. This involves cipher operations with SSL
and TLS1.0, where the result IV or state from one packet must be used to process the next.
It is advised -for performance reasons- not to use the context update interface when instantiating only a
single EIP-96 core. The default values to tie-off this interface can be found in Table 10 and Table 11 for the
EIP-96 and EIP-96-f respectively. Outputs can be left unconnected.
The remainder of this section assumes instantiation of multiple EIP-96 cores and the required interface
behavior.
The EIP-96 can be configured to share its updates with other instantiations of the EIP-96 potentially using
the same Context Record. This configuration is done on a per-packet basis and all packets using the same
context (SA) must use the same token setting. If the Context Type (‘CT’) bit in the input token (bit [18] of the
token header word) is set, the EIP-96 takes the following actions.
This grouping defines the address writing and fetching modes, allowing efficient, tailored, updating of
the context records.
• After execution of the DMA, the grant should be asserted to indicate the DMA is completed. As a result,
the EIP-96 deasserts ctx_sel_req. Note that while the ctx_sel_req signal is asserted, additional DMA
may be requested by this EIP-96 instance.
• After completion of the final DMA in a sequence of DMAs, ctx_sel_req is deasserted, and another
instantiation can be acknowledged.
Note: Once an EIP-96 is acknowledged (ctx_sel_ack asserted to ‘1’) the acknowledge may not be
deasserted, unless the ctx_sel_req is inactive. If this requirement is not satisfied, Context Records
get corrupted.
Figure 26 shows an example timing diagram of the intended behavior of the context update interface and
the relation with the applicable DMA and TCM signals. There are several relations and dependencies. After
assertion of the ctx_sel_req signal the EIP-96 waits for the acknowledge (assertion of ctx_sel_ack) before
asserting the ctx_dma_req signal.
There are two requirements for the external system that goes along with the abovementioned signals.
tcm_ctx_cs may only be asserted one cycle after granting the dma request (ctx_dma_req) signal. Only after
(or with) deassertion of the ctx_sel_req signal the ctx_sel_ack signal may be deasserted.
clk
ctx_sel_req
ctx_upd_id[63:0] 0x12345678ABCDEF0
ctx_dma_type[x:0] 0x8
ctx_dma_int_addr[10:0] int_addr
ctx_dma_req
ctx_sel_ack
ctx_dma_grant
tcm_ctx_cs
tcm_ctx_rdata[31:0] D0 D1 D2
ctx_upd_out_write
ctx_upd_out_id[63:0] 0x12345678ABCDEF0
ctx_upd_out_data[31:0] D0 D1 D2
5 Initialization
Before the EIP-96 can be used for packet processing, the Host must initialize its configuration registers. This
section will discuss some general principles and methods for initializing and using the EIP-96 efficiently.
General concepts are presented here; details on the registers used for configuration can be found in
Appendix C.
Refer to Appendix C.1.1.4 for a description of the Context Control Register and Appendix B for the Context
Record definition.
input Blocked
hash
crypto Blocked
Figure 28 Packet processor with ToP=4’b001x (left) and with ToP=4’b010x (right)
hash
input only output output
hash input digest
M M
Hash context U hash Hash context U
X X
encrypt-then-hash
decrypt-then-hash
Figure 29 Packet processor with ToP=4’b011x (left) and with ToP=4’b111x (right)
Note: Due to system complexity, these figures represent the functional behavior of the system and not
the actual physical implementation.
As shown in the figures above, the input data can be directed to three possible destinations within the
packet processor (crypto, hash and/or output), defined by ‘Type of destination’ field (ToD) of the token
instruction, refer to Table 20. Output of the packet processor is always passed to the post-processor
module. The table below describes the relation between ‘Type of destination’ field of the instruction and
‘Type of Packet’ field (ToP) of context control word 0.
In summary, the ToD field determines where the input data should be made available in the packet
processor (the crypto block and/or the hash block and/or passed to the output). The ToP field in the context
configures the datapath within the packet processor itself, enabling crypto and hash blocks when needed
and determining the order of these operations.
Table 13 Relation between ‘Type of Destination’ and ‘Type of Packet’ fields
6.1 Purpose
This EIP-96 optionally includes an ANSI X9.17 compliant Pseudo Random Number Generator (PRNG) that
provides a pseudo random data for generating keys, Initialization Vectors (IVs), etc.
The PRNG provides up to 16-bytes of data at a time, enabling the generation of random IVs for DES, Triple-
DES, AES, SM4 and BC0 on a per packet basis without slowing down the system. The DES block within the
PRNG uses a 64-bit LFSR as input data.
Unlike true random number generators, which exploit the randomness that occurs in some physical
phenomena, pseudo random number generators are devices or algorithms that output statistically
independent and unbiased numbers. In general, a PRNG is a deterministic algorithm that for a given truly
random binary sequence (provided as a combination of the seed and key registers), outputs a binary
sequence which “appears” to be random.
P E D E C
K0,K1
Key0/1
V R
Seed Result
6.3 Performance
The PRNG can produce a new 64-bit pseudo random number every 83 system clock cycles, or a 128-bit
pseudo random number every 165 system clock cycles. See Table 14 below.
Table 14 PRNG Performance
Note: When the EIP-96 is using AES, SM4 or BC0, the PRNG should generate 128-bit numbers and hence
bit[2] of the PRNG Control Register must be set to '1' in order to get sufficiently strong random
data. For (3)DES, this bit may be set to '0' but in a typical case where DES, SM4, BC0 and AES are
used, it is recommended to set this bit to '1' and leave it at this value. Refer to Section C.2.2.
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
– – U IV C ToO RC CT CP IP input packet length
input packet pointer (optional for EIP-96-f configurations)
output packet pointer/identifier
transform record pointer / context pointer (lower 32-bit)
MSW of transform record pointer / context pointer (higher 32-bit) (optional, default uses 32-bit pointer)
context control 0 (optional)
context control 1 (optional)
IV0..1..2..3 (optional)
U-word - Optional debug options, must all be set to ‘0000’ checksum (optional)
processing instructions
bypass token data (optional)
Note: All bits marked ‘-’are reserved and should be set to ‘0’.
Note that in case the EIP-96 is instructed to do the header update in its internal RAM, but the packet is too
large to fit into the EIP-96 output buffer, then the EIP-96 will still revert to appending the result to the
packet.
7.2.1.1.6.1 ToO[1:0]
00: no header update.
This setting is normally used if no header update instructions are present in the token.
Note: If header update instructions are still present in the token, they are discarded by the EIP-
96 and no header updates will take place.
01: header update – small packets only.
This setting causes the EIP-96 to hang on to the result packet data, to attempt to update
the packet header immediately. In case the packet is too large to fit into the EIP-96
internal result packet buffer, the EIP-96 starts writing out the packet data after the result
packet is equal to or exceeds the size of 1792 bytes (including padding bytes that are not
yet removed), and the EIP-96 will revert to appending the result data at the end of the
packet data.
10: append result to packet.
This setting prevents the EIP-96 from updating the packet header in its internal packet
buffer. Writing out of the packet data can start as soon as enough data is available. The
update data is appended to the end of the packet.
11: header update and result appending.
This setting is required if the token contains instructions for both a header update as well
as result data to be appended to the packet. The EIP-96 will keep the packet data in its
internal packet buffer (under the same conditions as listed for option ‘01’) until the ‘STAT’
bits of one of the postprocessing instructions (see Appendix 8.3) indicates that the last
header update instruction has been processed. Update data from any postprocessing
instruction, following the ‘last header update’ postprocessing instruction, will be
appended to the packet. Packet data output will commence after the ‘last header update’
bits have been seen.
The ToO bits affect the operation of the INSERT_REMOVE_RESULT and REPLACE_BYTE instructions. Refer to
Section 8.6, Postprocess Instructions.
7.2.1.1.6.2 ToO[2]
Bit 2 of the Type of Output field is used to indicate pad removal options. This bit may only be set for
inbound operations. If the bit is set, the padding type in the Context Record must be one of the following:
PKCS#7, RTP, IPsec, TLS, or SSL.
0: no pad removal
1: remove and (optionally) verify pad
Note: Accidental use of this bit for outbound operations can result in unwanted pad removal or an error
situation, if no padding is found.
Note: In the case of TLS1.3 padding, removal of padding with a size that exceeds the output buffer
restrictions is not possible. This will be reported in the result token, see Section 10.
7.2.1.1.7 C: Context control words present in token
Setting this bit forces the EIP-96 to read the context control words (normally, the first two words of the
Context Record) from the token (context control0 and context control1).
Providing the token control words in the token has implications on the context fetch. The standard EIP-96
configurations automatically handle this situation. However, for EIP-96 configurations with a FIFO based
context interface (refer to Appendix E), the EIP-96 does not expect the context control words to be provided
via the context FIFO input interface. So when providing a token with context control words in EIP-96-f
configurations, the context (provided via the context interface) must start with the first field after the two
command words.
Setting both control words to all zeroes causes the EIP-96 to bypass the entire packet without attempting to
fetch a Context Record from external memory. This provides a slight (bypass) performance increase over a
token specifying only a bypass instruction. This means that in the latter case, the EIP-96-f configurations do
not expect a context to be provided on the context input interface.
The context control words in the token are formatted identically to the command words in the Context
Record (see Section 9.1).
7.2.1.1.8 IV: Usage and Selection
Table 15 shows typical examples of how the IV registers can used for six types of crypto operations:
DES/3DES-CBC, AES/SM4/BC0-CTR, AES/SM4/BC0-ICM, AES/SM4/BC0-CBC and ChaCha20. Note that in the
EIP-96, IV fields (IV0 through IV3) can be taken from four possible sources:
• Context Record,
• PRNG,
• Input Token,
• Input Packet – indirectly via Input Token processing instruction.
• For AES-XTS limited loading options are available, refer to section 7.2.1.1.8.3 for more details.
Table 15 IV Register Usage
IV3/IV2/IV1/IV0
(mode)
CCW1 [2:0]
CCW1 [8:5]
IV[2:0]
IV0 IV1 IV2 IV3
DES/3DES-CBC Input Input not used not used 000 001 000 0 0
packet1 packet1 0 0
PRNG PRNG not used not used 001 001 000 0 0
0 0
Context Context not used not used 000 001 001 0 0
record record 1 0
Input token Input token not used not used 110 001 000 0 0
0 0
AES-CTR2 / Input Input Input Input 000 110 000 0 0
SM4/BC0-CTR packet1 packet1 packet1 packet1 0 0
32’h0000000 000 010 000 0 0
1 0 0
PRNG PRNG PRNG PRNG 001 110 000 0 0
0 0
(nonce) Input Input 32’h0000000 000 010 000 0 0
Context packet1 packet1 1 1 1
record PRNG PRNG 32’h0000000 001 010 000 0 0
1 1 1
sequence sequence 32’h0000000 000 010 000 1x 0
nbr nbr 1 1
Context Context Context 000 110 111 0 0
record record record 1 0
32’h0000000 000 010 011 0 0
1 1 1
(nonce) Input Input 32’h0000000 100 010 000 0 0
Input token packet1 packet1 1 0 1
[2:0]
CCW1 [8:5]
IV3/IV2/IV1/
Mode [2:0]
Encryption IV Sources
[11:10] IV
[4]
Control
[28:26]
Crypto
enable
format
IV[2:0]
Token
CCW1
algorithm
XOR
IV0
CCW1
CCW1
(mode)
[2:0]
CCW1 [8:5]
IV3/IV2/IV1/
Mode [2:0]
Encryption IV Sources
[11:10] IV
[4]
Control
[28:26]
Crypto
enable
format
IV[2:0]
Token
CCW1
algorithm
XOR
IV0
CCW1
CCW1
(mode)
XOR seq nbr XOR seq nbr 32’h0000000 000 1xx 111 1 1
0 1 0
Kasumi (f8) Context Context not used not used 000 001 001 0 0
record record 1 0
Input token Input token not used not used 110 001 000 0 0
0 0
SNOW and ZUC Input token Input token Input token Input token 111 001 000 0 0
(UEA) 3 0 0
1
The IV words loaded from the Input Packet are retrieved from the input data stream with a RETRIEVE instruction;
please refer to this instruction for more details.
IVs sourced from input packet are typically used for inbound (decrypt) type operations, where the IVs are sent
along with the packet data (for example, ESP decapsulation). Internally generated IVs are typically used for
outbound (encrypt) operations.
2
AES-CTR is the underlying crypto algorithm for AES-GCM and AES-CCM. Therefore, generally, the same IV loading
mechanism applies. By exception, AES-CCM used in TLS 1.2/1.3 requires loading a shifted IV, see CCW1[21]
setting in section 9.2.2.
3
For SNOW and ZUC (UIA), non-zero bit alignment may be required. For an example, refer to the EIP-96
Operations Manual with Token Examples [2].
4
ChaCha20 is the underlying crypto algorithm for ChaCha20-Poly1305 AEAD. One-Time-Key calculations (CCW1[2]
equals ‘1’) require initialization of IV3 to 32’h00000000, since IV3 is used as the initial ChaCha20 block counter.
For the default IV loading option per algorithm, refer to the EIP-96 Operations Manual with Token Examples [2].
The ‘IV’ bits of the input token control word provide for the options identified in Table 16 below. Since the
‘IV format’ options (bits [11:10] in Context Control Word 1) can modify the IV source further, please refer to
Section 7.2.1.1.8.2, “Summary of Possible IV Selection Result Scenarios” following this table.
Note that in addition to the ‘IV format’ field, the IV3 ‘counter value’ may also be modified according to the
‘Crypto Mode’ field setting, (bits [2:0] of Context Control Word 1), by automatically initializing this counter
value to 32’h00000000, 32’h00000001 or 16’h0000. Refer to Section 9.2.
Table 16 Selecting IV Source using Input Token Control Word
011 Source IV3 field from the input token and use PRNG for other IV fields.
100 Source IV0 and IV3 fields from the input token and keep the context values for the
other IV fields.
101 Source IV0 and IV3 fields from the input token and use PRNG for other IV fields.
110 Source IV0 and IV1 fields from the input token and keep the context values for the
other IV fields.
111 Source all four IV fields from the input token.
128-bit IV register
IV0 / Nonce IV1 IV2 IV3
after context load à
128-bit IV register
after Load IV option
(000) with ‘IV format
bits set to:
‘00’:
IV0 / Nonce IV1 IV2 IV3
Full IV mode à
‘01’:
IV0 / Nonce IV1 IV2 IV3
Counter mode à
From context
Incremented
Figure 32 Result IV using IV [2:0] = 3'b000 with IV format [11:10], XOR disabled
basis:
IV 0 / Nonce IV1 IV2 IV 3
Full IV mode à
XOR XOR
RR
128 -bit IV register
after Load IV option
(000 ) with ‘IV format
bits set to :
‘01’/’10’:
Original sequence IV0 Sequence number XOR {IV1, IV2} IV 3
number mode à
basis:
IV 0 / Nonce IV1 IV2 IV 3
Full IV mode à
Incremented Incremented
XOR XOR
128 -bit IV register
after Load IV option
(000 ) with ‘IV format
bits set to :
‘11’:
Incremented sequence
number modeà IV0 Sequence number XOR {IV1, IV2} IV 3
(outbound only)
128-bit IV register
IV0 / Nonce IV1 IV2 IV3
after context load à
128-bit IV register
after Load IV option
(000) with ‘IV format
bits set to:
‘00’:
PRNG output
Full IV mode à
‘01’:
IV0 / Nonce PRNG output IV3
Counter mode à
From context
Incremented
Figure 35 Result IV using IV [2:0] = 3'b001 with IV format [11:10] , XOR disabled
128-bit IV register
IV0 / Nonce IV1 IV2 IV3
after context load à
128-bit IV register
after Load IV option
(000) with ‘IV format
bits set to:
‘00’:
IV0 / Nonce IV1 IV2 Token IV word
Full IV mode à
‘01’:
IV0 / Nonce IV1 IV2 Token IV word
Counter mode à
From context
Incremented
Figure 36 Result IV using IV [2:0] = 3'b010 with IV format [11:10] , XOR disabled
basis:
IV 0 / Nonce IV1 IV2 Token IV word
Full IV mode à
XOR XOR
RR
128 -bit IV register
after Load IV option
(010 ) with ‘IV format
bits set to :
‘01’/’10’:
Original sequence IV0 / Nonce Sequence number XOR {IV1, IV2} Token IV word
number mode à
basis:
IV 0 / Nonce IV1 IV2 Token IV word
Full IV mode à
Incremented Incremented
XOR XOR
128 -bit IV register
after Load IV option
(010 ) with ‘IV format
bits set to :
‘11’:
Incremented sequence
number modeà IV0 / Nonce Sequence number XOR {IV1, IV2} Token IV word
(outbound only)
128-bit IV register
IV0 / Nonce IV1 IV2 IV3
after context load à
128-bit IV register
after Load IV option
(000) with ‘IV format
bits set to:
‘00’:
PRNG output Token IV word
Full IV mode à
‘01’:
IV0 / Nonce PRNG output Token IV word
Counter mode à
From context
Incremented
Figure 39 Result IV using IV [2:0] = 3'b011 with IV format [11:10] , XOR disabled
128-bit IV register
IV0 / Nonce IV1 IV2 IV3
after context load à
128-bit IV register
after Load IV option
(000) with ‘IV format
bits set to:
‘00’:
1st token IV word IV1 IV2 2nd token IV word
Full IV mode à
‘01’:
1st token IV word IV1 IV2 2nd token IV word
Counter mode à
From context
Incremented
Figure 40 Result IV using IV [2:0] = 3'b100 with IV format [11:10] , XOR disabled
basis:
1st token IV word IV1 IV2 2nd token IV word
Full IV mode à
XOR XOR
RR
128 -bit IV register
after Load IV option
(100 ) with ‘IV format
bits set to :
‘01’/’10’:
Original sequence 1st token IV word Sequence number XOR {IV1, IV2} 2nd token IV word
number mode à
basis:
1st token IV word IV1 IV2 2nd token IV word
Full IV mode à
Incremented Incremented
XOR XOR
128 -bit IV register
after Load IV option
(100 ) with ‘IV format
bits set to :
‘11’:
Incremented sequence
number modeà 1st token IV word Sequence number XOR {IV1, IV2} 2nd token IV word
(outbound only)
128-bit IV register
IV0 / Nonce IV1 IV2 IV3
after context load à
128-bit IV register
after Load IV option
(000) with ‘IV format
bits set to:
‘00’:
token IV word PRNG output token IV word
Full IV mode à
‘01’:
token IV word PRNG output token IV word
Counter mode à
From context
‘10’:
Original sequence token IV word Sequence number token IV word
number mode à
‘11’: reserved
Figure 43 Result IV using IV [2:0] = 3'b101 with IV format [11:10] , XOR disabled
128-bit IV register
IV0 / Nonce IV1 IV2 IV3
after context load à
128-bit IV register
after Load IV option
(000) with ‘IV format
bits set to:
‘00’:
token IV word token IV word IV2 IV3
Full IV mode à
‘01’:
token IV word token IV word IV2 IV3
Counter mode à
From context
Incremented
Figure 44 Result IV using IV [2:0] = 3'b110 with IV format [11:10] , XOR disabled
basis:
Token IV word Token IV word IV2 IV 3
Full IV mode à
XOR XOR
RR
128 -bit IV register
after Load IV option
(110 ) with ‘IV format
bits set to :
‘01’/’10’:
Original sequence Token IV word Seq nbr XOR {Token IV word, IV2} IV3
number mode à
basis:
Token IV word Token IV word IV2 IV 3
Full IV mode à
Incremented Incremented
XOR XOR
128 -bit IV register
after Load IV option
(110 ) with ‘IV format
bits set to :
‘11’:
Incremented sequence
number modeà Token IV word Seq nbr XOR {Token IV word, IV2} IV3
(outbound only)
128-bit IV register
IV0 / Nonce IV1 IV2 IV3
after context load à
128-bit IV register
after Load IV option
(000) with ‘IV format
bits set to:
‘00’:
token IV word token IV word token IV word token IV word
Full IV mode à
‘01’:
token IV word token IV word token IV word token IV word
Counter mode à
From context
Incremented
Figure 47 Result IV using IV [2:0] = 3'b111 with IV format [11:10] , XOR disabled
XOR XOR
RR
128 -bit IV register
after Load IV option
(111 ) with ‘IV format
bits set to :
‘01’/’10’:
Original sequence Token IV word Sequence nbr XOR {Token IV word} Token IV word
number mode à
basis:
Token IV word Token IV word Token IV word Token IV word
Full IV mode à
Incremented Incremented
XOR XOR
128 -bit IV register
after Load IV option
(111 ) with ‘IV format
bits set to :
‘11’:
Incremented sequence
number modeà Token IV word Sequence nbr XOR {Token IV word} Token IV word
(outbound only)
Note that the big endian value ‘j’ must be provided in a little endian fashion to the 128-bit immediate field
of the input token, for example a ‘j=1’ should be assigned to bits [127:96] as 0x01000000 and a ‘j’ of
0x12345 should be assigned to bits [127:96] as 0x45230100. The other 96 bits ([95:0]) must be set to zero in
this case).
Only 32 bits of the token immediate field are used to supply ‘j’ so the range of ‘j’ is limited to 232-1. The
specified maximum in IEEE specification for XTS [0] is 2128-2. To use the EIP-96 with a ‘j’ that is larger than
232-1, the host should calculate the intermediate tweak value (Tj = T0 × αj) and load this value as indicated in
the table. When loading a pre-calculated Tweak (Tj) the value of ‘j’ must be set to 0.
If ‘j’ is zero for a specific XTS operation, loading of the 128-bit immediate field from the token can be
skipped since ‘j’ is forced to zero internally. This reduces the size of the input token.
Attention: For XTS when providing a ‘j’, the calculation of Tj on the EIP-96 takes ‘j’ clock cycles. For very
large values of ‘j’ it may be faster to pre-calculate Tj on the host.
Note: If the input packet pointer is not part of the input token (for EIP-96-f configurations with token
header bit [17] set to one) this word is token dword [2] and optionally also [3])
7.2.1.6 IV [3:0]
(optional)
Optionally (refer to Table 16), IV [3:0] may be placed in the input token at the next four available dword
locations, [n+3:n], where n is 3, 4, 5, 6 or 7, depending on ‘IP’, ‘CP’ and ‘C’ bit.
7.2.1.7 Checksum
(optional)
Optionally, a 16-bit checksum may be placed in the input token in the lower 16-bit range at the next
available dword location [n], where n in [3:11]. See 7.2.1.1.9.
7.2.1.8 U-word
The EIP-96 engine’s internal static bitmask (currently 1024 bit is supported) is initially written using the
static bitmask fields (lmask0 to lmask 31) of the Context Record during a context fetch operation. The active
bitmask range can then be reduced to a smaller width, according to Table 18, before the internal static
bitmask is actually used with bitmask dependent operations. The bitmask limitation options are described in
this section.
Table 18 Reduced bitmask coding
Using a reduced bitmask when the Context Record is defined with an XL bitmask has some interesting
consequences:
1. While a packet may be rejected being out-of-window with a “small” reduced mask, it may be accepted
lateron being in-window if a larger or full-sized mask is applied. The rejection will not lead to a mask
update, leaving the bit position as it was.
2. Similarly, while a packet may be rejected being out-of-window with a “small” reduced mask, it may be
rejected for being replayed lateron if a larger or full-sized mask is applied (and the sequence number
was accepted before).
3. Updates of the sequence number may lead to clearing portions of the mask – regardless of which
reduced mask was selected – up to the full-sized mask. So, context updates (of the bitmask) are not
necessarily limited by using a reduced mask.
Optionally, debugging information may be placed in the input token in the remaining upper 16-bit range, i.e.
bits [31:16], in the dword which is shared with the optional Checksum. Refer to Appendix A.2.4.1 for more
information on the related debugging features.
8 Processing Instructions
8.1 Instruction Types
There are five types of processing instructions. The first two types (Operational Data and IP Header
Instructions) are executed by the EIP-96 preprocessor and may occur in any order. These preprocessor
instructions create the different data streams for crypt, hash and output.
The third type execute on the result data stream by the EIP-96 post process module. Instructions of Type 3
can be mixed with the Type 1 and 2 instructions. Type 3 instructions can modify or append result data fields
in the output packet.
Note: Types 1, 2, and 3 instructions are also referred to as Data Processing Instructions, since these are
the only instructions “executed” by the pre and postprocessors.
Type 4 instructions are executed by the EIP-96 control module and may only occur after Types 1, 2, and 3
instructions.
Type 5 instructions are also executed by the EIP-96 control module and may occur before or after all the
Types 1, 2, and 3 instructions, which means not in between.
Type 4 and 5 instructions are executed in the control module and do not affect the result data. Only Context
Records and result tokens contain the results of these instructions.
The following subsections group the processing instructions under their appropriate instruction type. Also
shown are the key fields used by each instruction.
Sequencing of Instructions:
Context Control Instructions with the ‘result type’ field equal to ‘00’
(See Note 2)
Data Processing Instructions (Instruction Types 1, 2 and 3)
(See Note 1)
Context Control Instructions with the ‘result type’ field equal to ‘00’
(See Note 2)
Result Instructions (Instruction Type 4)
Context Control Instructions (Instruction Type 5)
Special Instructions (Instruction Type 6)
Notes:
1. Data Processing Instructions are all instructions executed by the pre/post-processor.
2. ‘Result type’ = ‘00’ refers to Context Control Instructions that always execute, and therefore have
their ‘F’ and ‘P’ instruction fields set to ‘0’. (Refer to Section 8.8.). Typical use cases only require
context control instruction at the end of a token after the Result Instructions.
Instruction Format
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode instruction dependent fields STAT length / offset
data (optional)
8.3.1 length/pointer
8.3.1.1 length
If a length field applies, indicates the number of bytes that are to be processed by the instruction. For Type
1 instructions, the length field must be greater than zero.
8.3.1.2 offset
If an offset field applies, it is the offset into the output stream. All data bytes are written into the data
stream starting at this offset position.
8.3.2 STAT
8.3.2.1 STAT definition for Type 1 and 2 instructions
The status field is used to make sure cryptographic and authentication operations are completed. As long as
the status bits are zero, all data streams expect to receive more data after execution of this instruction. If
the hash status bit (bit 17) is set, the current instruction passes the last hash data. If the last data bit (bit 18)
is set, the current instruction has operated on the last data bit from the datapath through the packet-
processing engine.
Encoding of the STAT field for Type 1 and 2 instructions:
00: processing
01: last hash data for hash engine
10: last data for packet processing
11: last hash data for hash engine and last data for packet processing
8.3.4 opcode
Each instruction has a unique operation code (opcode). The following table provides a complete list of
instruction operation codes. The opcodes for reserved instructions may not be used.
Attention: Token instructions sending data to the crypto engine (meaning instructions having the crypto
engine bit set in the type of destination field, bit [26] in most instructions) must be following
each other directly. That is, the input to the crypto engine must be provided as a single,
uninterrupted, block of data. There cannot be instructions ‘in between’ sending data to
destinations, other than the crypto engine. The crypto engine cannot handle any data
alignment issues that may occur if intermediate data handling instructions occur between two
instructions targeting the crypto engine.
DIRECTION
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.dest. origin STAT length
0 0 0 0 – – – – 0 – – – – – – – – – – – – – – – – – – – – – – –
L (Last): When the ‘L’ bit is set, and the crypto data bit (bit 26) in the ‘t.o.dest.’ field is also set, then this is
the last crypto data block. In the case of CTR or ICM mode, the ‘L’ bit must be set for the last block; for all
other modes this bit is optional.
When the ‘L’ bit is set, and the hash bit (bit 25) in the ‘t.o.dest.’ field is also set, while the crypto bit (bit26) is
NOT set, then this is the last hash data before crypto data. The ‘L’ bit is only required for a GHASH (GCM)
operation where the AAD data needs to be hashed in a separate operation before the crypto data is hashed.
opcode: Refer to Section 8.3.4, for a description of this field.
PRE_CHECKSUM
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.cmd. origin STAT checksum update value
0 0 0 1 – 1 1 1 0 1 0 1 0 0 0 – – – – – – – – – – – – – – – – –
checksum update value: This value must be the difference between the old checksum value and the new
desired checksum value. The checksum update value is generated as follows:
XOR original values with 0xFFFF (invert). Use this result to perform a 16-bit ‘ADD with carry’ with the
‘checksum update value’ field of the PRE_CHECKSUM instruction. The result of this calculation is then XOR’d
with 0xFFFF and replaces the original value in the data stream.
STAT: Refer to Section 8.3.2.1, for a description of this field.
origin: The origin field must be set to ‘01010’.
t.o.cmd. (type of command): This field must be set to ‘111’.
L (Last): The description for the ‘L’ field is the same as in Section 8.4.1, DIRECTION Instruction.
Note that when PRE_CHECKSUM is used with IP protocol, L is always set to ‘0’, since the checksum is never
last.
opcode: Refer to Section 8.3.4, for a description of this field.
INSERT
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.dest. padding/origin STAT extended length / insert value length
0 0 1 0 – – – – – – – – – – – – – – – – – – – – – – – – – – – –
length: Refer to Section 8.3.1.1, for a description of this field. Note that when padding is inserted, this field
indicates the total number of the padding bytes.
Example: To add 14 IPsec padding bytes, length field and next header, specify
the length value of 16 (0x10 in hexadecimal). To add 20 bytes of SSL or TLS
padding and length field, specify the length value of 21 (0x15 in hexadecimal).
extended length / insert value: Depending on the value of the padding/origin field, this field is interpreted
as either the ‘extended length’ (the upper 8 bits of the length value) or the ‘insert value’ (the value to be
used for certain padding modes, e.g. Constant, RTP, and SSL.
STAT: Refer to Section 8.3.2.1, for a description of this field.
padding/origin: The INSERT instruction uses the padding/origin field for one of two possible purposes,
padding or origin.
If the length exceeds the fields of one origin type, it will continue with the next field that is located on the
next origin location. Be aware that after the fourth hash word, the fifth up to the 16 th hash-word are read.
t.o.dest. - type of destination: The values for the ‘t.o.dest.’ field are the same as those listed in Section
8.4.1, DIRECTION Instruction.
L (Last): The description for the ‘L’ field is the same as in Section 8.4.1, DIRECTION Instruction.
opcode: Refer to Section 8.3.4, for a description of this field.
INSERT (immediate)
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.dest. origin STAT length
0 0 1 0 – – – – 1 1 0 1 1 – – 0 0 0 0 0 0 0 0 – – – – – – – – –
data
data
NOP
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.dest. padding/origin STAT reserved
0 0 1 0 0 0 0 0 0 0 0 0 0 – – 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0
This instruction does not process any data and takes exactly one clock cycle to process. Note that the
sequencing rules must still be respected and that since the ‘t.o.dest’ is zero (the crypto-bit is not set) the
cryptographic data stream may not be interrupted with this NOP instruction.
INSERT_CTX
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.dest. origin STAT context dest. reserved length
1 0 0 1 – – – – – – – – – – – – – – – – 0 0 0 0 – – – – – – – –
Note: When using the INSERT_CTX instruction to read fields from the context that were updated by a
previous instruction, another instruction must be used prior to the INSERT_CTX instruction. This
can be any instruction or simply the NOP instruction. This assures that the EIP-96 has time to
commit the updated context values before they can be read.
REPLACE
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.dest. origin STAT length
0 0 1 1 – – – – – – – – – – – 0 0 0 0 0 0 0 0 – – – – – – – – –
t.o.dest. - type of destination: The values for the ‘t.o.dest.’ field are the same as those listed in Section
8.4.1, DIRECTION Instruction.
L (Last): The description for the ‘L’ field is the same as in Section 8.4.1, DIRECTION Instruction.
opcode: Refer to Section 8.3.4, for a description of this field.
RETRIEVE
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.dest. origin STAT length
0 1 0 0 – – – – – – – – – – – 0 0 0 0 0 0 0 0 – – – – – – – – –
L (Last): The description for the ‘L’ field is the same as in Section 8.4.1, DIRECTION Instruction.
opcode: Refer to Section 8.3.4, for a description of this field.
RETRIEVE
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.dest. origin STAT length
0 1 0 0 – – – – – – – – – – – 0 0 0 0 0 0 0 0 – – – – – – – – –
RETRIEVE
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.dest. origin STAT length
0 1 0 0 0 0 0 0 – – – – – – – 0 0 0 0 0 0 0 0 – – – – – – – – –
RETRIEVE
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L t.o.dest. origin STAT length
0 1 0 0 0 0 0 0 1 1 0 1 1 – – – – – – – – – – – – – – – – – – –
MUTE
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode r t.o.dest. r t.o.dest.2 M STAT length
0 1 0 1 0 0 – – 0 0 – – 1 – – 0 0 0 0 0 0 0 0 – – – – – – – 0 0
mask0
….
mask(n-1)
length: The length field indicates the number of bytes to be muted, up to 508 bytes. The specified length
must be a multiple of four bytes, (bits [1:0] = ‘00’).
STAT: Refer to Section 8.3.2.1 for a description of this field.
M: Indicates that the mask is appended to the instruction. If M is set to zero, no mask fields are supplied
and the instruction assumes that ‘length’ bytes of zeroes are to be used as mask values. M = ‘0’ could be
used with IPv6 extension headers that contain complete 32-bit words to be muted.
t.o.dest.2 – type of destination 2: The values for the ‘t.o.dest.’ field are the same as those listed in Section
8.4.1, DIRECTION Instruction, except destination to the crypto engine is not allowed (bit [22] must be set to
‘0’). Typically, this field is always set to ‘001’ (output). This destination receives the original, unmuted data.
r: Reserved, set to ‘0’.
t.o.dest. - type of destination: The values for the ‘t.o.dest.’ field are the same as those listed in Section
8.4.1, DIRECTION Instruction, except destination to the crypto engine is not allowed (bit [26] must be set to
‘0’). Typically, this field is always set to ‘010’ (hash engine). This destination receives the muted version of
the data.
r: Reserved, set to ‘0’.
opcode: Refer to Section 8.3.4 for a description of this field.
mask: The mask data immediately following the MUTE instruction to be used in the bitwise AND operation
with the input packet data. Refer to Section 8.3.5.
Note: If the same value is set for both destination fields, the MUTE instruction will send both muted and
unmuted data to the same destination.
retrieved by the post-processor. If this is not the case, using a non-zero length in the origin field of the
direction instruction will result in unexpected behavior.
This operation is intended to correct the instruction such that only the decrypted payload length is sent to
the hash engine and the decrypted authentication result is retrieved from the packet.
If a length is stored in the pre-processor, the pointer in the IRR instructions that removes data from the
output stream is incremented with the stored value.
length: The value (in little-endian format) to be placed in the ‘length’ field of the IPv4 header. The IPv4
instruction takes care of the byte swapping.
protocol: The value to be placed in the ‘protocol’ field of the IPv4 header.
t.o.dest.: Destination for the processed header words. The values for the ‘t.o.dest.’ field are the same as
those listed in Section 8.4.1, DIRECTION Instruction.
D – ‘time to live’ decrement: The IPv4 ‘time to live’ value is decremented when ‘D’ is set to ‘1’.
opcode: Refer to Section 8.3.4 for a description of this field.
Modifications
4-bits
32-bits
IPv4_CHECKSUM
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode D t.o.dest. protocol length
0 1 1 0 – – – – – – – – – – – – – – – – – – – – – – – – – – – –
length: The value (in little-endian format) to be placed in the ‘length’ field of the IPv4 header. The IPv4
instruction takes care of the byte swapping.
protocol: The value to be placed in the ‘protocol’ field of the IPv4 header.
t.o.dest.: Destination for the processed header words. The values for the ‘t.o.dest.’ field are the same as
those listed in Section 8.4.1, DIRECTION Instruction.
D – ‘time to live’ decrement: The IPv4 ‘time to live’ value is decremented when ‘D’ is set to ‘1’.
opcode: Refer to Section 8.3.4 for a description of this field.
Modifications
4-bits
32-bits
IPv6
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode D t.o.dest. next header payload length
1 0 0 0 – – – – – – – – – – – – – – – – – – – – – – – – – – – –
payload length: The value (in little-endian format) to be placed in the ‘payload length’ field of the IPv6
header. The IPv4 instruction takes care of the byte swapping.
next header: The value to be placed in the ‘next header’ field of the IPv6 header.
t.o.dest.: Destination for the processed header words. The values for the ‘t.o.dest.’ field are the same as
those listed in Section 8.4.1, DIRECTION Instruction.
D – ‘hop limit’ decrement: The IPv6 ‘hop limit’ value is decremented when ‘D’ is set to ‘1’.
opcode: Refer to Section 8.3.4 for a description of this field.
Modifications
4-bits
32-bits
Therefore, in the case of a GHASH (AES-GCM) or XCBC (AES-CCM) with the ‘encrypt_hash_result’ bit set to
‘1’, the following instructions are used to generate the ICV. Refer to the EIP-96 Operations Manual with
Token Examples [2].
1. A remove_result instruction is used to schedule removal of the first block (16 bytes) of the encrypted
input data and storing it to internal registers, while the rest of the data stream is processed and the
final hash result is calculated. The instruction will be executed after passing all packet data through the
crypto engines.
Note: The first encrypted block cannot be used for encrypting data since doing so would open up the
possibility of an attack on the nonce. Instead, this block is used to encrypt the final hash result.
Note: The ‘length’ field MUST be set to 16 (AES block size) for this mode to operate correctly.
2. The following INSERT instruction is used to pass the first encrypted block to the post processor. This
operation inserts 16 bytes of zeroes (AES block size) and performs an XOR with the first encrypted block
in the data stream. This results in passing the first encrypted block directly to the EIP-96 postprocessor,
for later encrypting (XOR’ing with) the hash result.
Once the final hash result is computed, it is encrypted (XOR-ed with the internally stored encrypted block of
zeroes). This XOR operation is enabled by the ‘encrypt hash result’ bit.
The result digest can be used by subsequent VERIFY_FIELDS or INSERT instructions as usual.
Context Control Word1, bit 17, encrypt hash result = ‘0’
In this case the remove_result operation is used to extract the hash result from the inbound (to be
decrypted) data stream, after decryption by the EIP-96. This is only relevant for protocols that specify the
hash result to be encrypted after the plaintext payload data, such as SSL or TLS.
Note: SSL and TLS require hash-then-encrypt for packet processing, automatically encrypting the hash
result, unlike encrypt-then-hash operation for the IPsec outbound ESP transform.
offset in the output data stream: Removal starts at location specified by offset value in this field. This
pointer is optionally (inbound SSL/TLS/DTLS with block ciphers) incremented internally when length
corrections are applied in the pre-processor. Refer to Section 8.4.8 for more details.
P: The REMOVE_RESULT instruction requires the ‘P’ field to be set to ‘0’.
STAT: Refer to Section 8.3.2.1, for a description of this field.
Length: The ‘length’ field indicates the number of bytes to be removed; this can be 12, 16, 20 or 32 bytes. If
the length field is zero (6’b00_0000): 64 bytes will be removed.
L, NH, CS: The REMOVE_RESULT instruction requires the ‘L’, ‘NH’, and ‘CS’ fields to be set to ‘0’.
opcode: Refer to Section 8.3.4 for a description of this field.
Note: The name of this instruction can be somewhat confusing as it can append, but also replace existing
data from the output data stream. It should not be confused with the REPLACE instruction, which
operates on packet data in input data stream, before the data is submitted to the packet
processing module, or the INSERT instruction, that actually does add data to the input data stream.
The insert_result operation strictly operates on the output data stream, after packet processing.
Notes:
1. The insert_result operation should only be used for updating data in (as opposed to after) the
output data stream. If data must be appended due to output buffer overflow, or if instructed by the
‘ToO’ field in the token command word, see Section 7.2.1.1.6, then this is done aligned to a 32-bit
boundary. Also this is done after the packet and the applicable field in the result token are set, even
if the packet data did not end on a 32-bit boundary. Appending (as opposed to updating) hash
result data after the data stream (possibly misaligned), according to the applicable protocol, should
be done using an INSERT or REPLACE instruction (for example, IPsec ESP) with the ‘t.o.dest.’ field
set to ‘output only’.
2. These instructions with the exception of remove_result operation must always be located after the
instruction Types 1 and 2.
3. If used for updating IPv4 fields, it is required that an IPv4_CHECKSUM instruction is performed
earlier, to actually pass an initial checksum value that the new length and protocol (next header)
fields are then added into. This can very well be a dummy IPv4_CHECKSUM instruction, i.e. with
lengh=0 and protocol=0. Refer to 8.5.2 for more information on this instruction.
offset in output stream: The location in the output data stream to insert the hash result. If this field is set to
0xfffe, the hash result is appended to the packet. This appending is always 32-bit aligned, regardless of the
byte alignment at the end of the packet. This field may not have any values larger than 0xff00, except for
0xfffe. For packets that do not fit in the EIP-96’s output packet buffer or when using the EIP-96-f with small
buffers, the result is automatically appended to the packet.
P: This operation requires this field to be set to ‘1’.
STAT[0]: This bit must be set to ‘1’. Since this operation does not modify the packet header, it does not
update the internally calculated header checksum. Therefore, the STAT[0] must be set to ‘1’, indicating that
no checksum update is required as a result of this operation.
L, NH, CS: This operation requires the ‘L’, ‘NH’, and ‘CS’ fields to be set to ‘0’.
length: The ‘length’ field indicates the length of the inserted hash result.
Notes: When updating (inserting or appending) a hash result, a length of zero (6’b00_0000) results in an
update of 64 bytes.
• Figure 53 applies to packets that are less than 1792 bytes in length. For larger packets, the 12-byte
ICV field is appended to the packet by default, in which case Figure 54 applies.
Bit 31
B8 B9 B10 B11
B2 B3
B6 B7
B3
B2
IP header AH header packet data
B0 B1
B4 B5
B1
B0
Bit 0
B7
B3
B2
B6
B2
IPv4 header AH header packet data
B1
B5
B1
B0
B4
B8
B0
Bit 0
8.6.1.3.2.1 Insert_Result Operation Example (Insert Length, Next Header and Checksum)
This insert_result operation example is typically used for normal IPv4 header updates, in the case of
inbound ESP transport mode. In this example, each of the ‘L’, ‘NH’, and ‘CS’ fields is enabled, set to ‘1’. The
operation assumes that the ‘next header’ and ‘checksum’ fields are in adjacent fields in the IPv4 header. See
Figure 55. The ‘checksum’ field immediately follows the ‘protocol’ field, which is updated with the next
header value.
This instruction inserts the actual packet length (calculated by the EIP-96 after processing) at the location
indicated by the ‘offset in output stream’ field. The ‘length’ field indicates the positive offset relative to
‘offset in output stream’ field where the next header value is to be inserted (IPv4 ‘protocol’ field); the
checksum is inserted immediately next to this location. The next header value used for the insertion is
retrieved from the padding. See Figure 57.
The inserted checksum is the result of the addition of the current checksum value (calculated so far by the
EIP-96) plus length and next header, where next header is added to the 8 MSbs of checksum. In the IPv4
header, the location of the ‘checksum’ field (immediately adjacent to ‘protocol’ field) and the way the
‘protocol’ field must be added to checksum, is fixed and corresponds to the order of these fields.
In IPv6, this operation updates only ‘payload length’ and ‘next header’ fields. The payload length is inserted
at the location pointed by the ‘offset in output stream’ field. The ‘length’ field must reflect the actual size of
the IPv6 packet header for this packet. The contents of the length field are subtracted from the (EIP-96
internally calculated packet length) in bytes to obtain the actual ‘payload length’ to be inserted in the
header. See Figure 59.
In IPv4 and IPv6, if all bits in the ‘offset in output stream’ field are set to one, the applicable updated fields
are appended to the packet. This appending is 32-bit aligned, regardless of the byte alignment at the end of
the packet.
offset in output stream: The location in the output data stream to insert the actual packet length calculated
by the EIP-96 after packet processing. If this field is set to 0xfffe, appropriate fields are appended to the
packet. See Figure 58 (IPv4) and Figure 60 (IPv6). This field may not have any values larger than 0xff00,
except for 0xfffe. For packets that do not fit inside the EIP-96’s output packet buffer or when using the EIP-
96-f with small buffers, the result is automatically appended to the packet.
P: This operation requires this field to be set to ‘1’.
STAT[0]: This bit must be set to ‘0’, indicating that a checksum update is required as a result of this
operation.
L, NH, CS: This operation requires the ‘L’, ‘NH’, and ‘CS’ fields to be set to ‘1’.
length: The ‘length’ field indicates the positive offset relative to ‘offset in output stream’ field where the
next header value is to be inserted; the checksum is inserted immediately next to this location.
4-bits
32-bits
source address
destination address
option
payload
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Length byte 1 (LSB) Length byte 0 (MSB) type of service version IHL
frag offset part 1 flags frag off. part 0 identifier byte 1 identifier byte 0
checksum byte 1 checksum byte 0 protocol time to live
source address byte 3 source address byte 2 source address byte 1 source address_0
dest. address byte 3 dest. address byte 2 dest. address byte 1 dest. address byte 0
4-bits
32-bits
source address
destination address
payload
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
flow label nibble flow label nibble flow label nibble flow label nibble traffic class flow label nibble traffic class
version
3 4 1 2 nibble 1 0 nibble 0
hop limit next header payload length byte 1 (LSB) payload length byte 0 (MSB)
source address byte 3 source address byte 2 source address byte 1 source address byte 0
source address byte 7 source address byte 6 source address byte 5 source address byte 4
source address byte 11 source address byte 10 source address byte 9 source address byte 8
source address byte 15 source address byte 14 source address byte 13 source address byte 12
dest. address byte 3 dest. address byte 2 dest. address byte 1 dest. address byte 0
dest. address byte 7 dest. address byte 6 dest. address byte 5 dest. address byte 4
dest. address byte 11 dest. address byte 10 dest. address byte 9 dest. address byte 8
dest. address byte 15 dest. address byte 14 dest. address byte 13 dest. address byte 12
Bit 31
B3
check-
length
total
sum
B2
packet data
B1
P
B0 IPv4 header
Bit 0
Figure 57 IPv4 updated fields - insert_result operation - ‘L’, ‘NH’, ‘CS’ and ‘P’ fields selected
Note: Figure 57 applies to packets that are less than 1792 bytes in length (before removing padding) with
standard EIP-96 configurations. For larger packets or with EIP-96-f configurations, updated fields
are appended to the packet by default, in which case Figure 58 applies.
Appended Data
Bit 31
B3
16'b00
16'b00
16'b00
B2
IPv4 header packet data
B1 P check-
length
total
sum
B0 8'b0
Bit 0
Figure 58 IPv4 appended updates - insert_result operation - ‘L’, ‘NH’ and ‘CS’ fields selected
Note: Figure 58 applies to packets that are equal to or larger than 1792 bytes in length (before removing
padding) or when using an EIP-96-f configuration. Figure 58 also applies to packets processed with
an insert_result operation with the instruction ‘length’ field = 0xfffe. Appended updated data
always starts on a 32-bit aligned position. See Table 25 below.
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
reserved reserved Length byte 1 (LSB) Length byte 0 (MSB)
reserved reserved protocol reserved
reserved reserved checksum byte 1 checksum byte 0
Bit 31
B3 IPv6 header
payload NH
B2
packet data
B1
length
B0
Bit 0
Figure 59 IPv6 updated fields - insert_result operation - ‘L’, ‘NH’ fields selected and ‘length’ =
0x28
Note: Figure 59 applies to packets that are less than 1792 bytes in length (before removing padding) with
standard EIP-96 configurations. For larger packets or with EIP-96-f configurations, updated fields
are appended to the packet by default, in which case Figure 60 applies. This figure also applies to
packets processed with an insert_result operation with the instruction ‘length’ field = 0xfffe.
Appended updated data always starts on a 32-bit aligned position.
Byte alignment within 32-bit words
Appended
Data
Bit 31
B3
16'b00
24'b00
B2
IPv6 header packet data
payload
B1
length
B0 NH
Bit 0
Figure 60 IPv6 appended updates - insert_result operation - ‘L’, ‘NH’ fields selected and
‘length’ = 0x28
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
reserved reserved payload length byte 1 (LSB) payload length byte 0 (MSB)
reserved reserved reserved Next header
The following insert-result operation examples are similar to this example with one of more options
disabled. The diagrams above are applicable to the following sections.
If multiple insert_result operations are used and data is appended to a packet, the order of the appended
data will be in the order of the operations in the token.
8.6.1.3.2.2 Insert_Result Operation Example (Insert Modified Length and Next Header with
Checksum Modification)
There is currently no actual ‘use case’ for this operation.
This operation updates the ‘payload length’ field of an IP packet header with the length of the result packet.
The payload length is inserted at the location pointed by the ‘offset in output stream’ field.
This operation updates the ‘next header’ field of an IP packet header. The next header value is retrieved
from the padding and is inserted at the ‘length’ number of bytes from the ‘payload length’ field.
This operation will update the internal checksum value but will not insert the checksum immediately next to
the ‘protocol’ field as is appropriate for IPv4 header. To insert the checksum later, a separate insert_result
operation must be used. Refer to Section 8.8, Insert_Result Operation Example (Insert Checksum).
Example:
To update the ‘length’ and ‘next header’ fields in the IPv4 header located in front of the packet, the ‘offset
in output stream’ field value must be 16h’0002 and ‘length’ field value must be 6h’07 as shows in Figure 57.
8.6.1.3.2.3 Insert_Result Operation Example (Insert modified Length and Next Header w/o
Checksum Modification)
This insert_result operation example is typically used to update an IPv6 header in the case of inbound ESP
transport mode.
This operation updates the ‘payload length’ and ‘next header’ fields of an IPv6 packet header. The payload
length is inserted at the location pointed by the ‘offset in output stream’ field. The ‘length’ field must reflect
the actual size of the IPv6 packet header for this packet. The contents of the ‘length’ field are subtracted
from the (EIP-96 internally calculated packet length) in bytes to obtain the actual payload length value to be
inserted in the header. The next header value is retrieved from the padding and is inserted immediately
after the inserted payload length.
The internally calculated checksum is not updated, as indicated by STAT[0] bit set to ‘1’.
Insert Checksum
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode L NH CS length STAT P offset in output stream
1 0 1 0 0 0 1 – – – – – – – 0 1 – – – – – – – – – – – – – – – –
Summarized it means that the maximum length of appended data is 4 words for EIP-96i and EIP-96is
configurations and 8 words for the EIP-96ie and EIP-96ies configurations. For the latter two the maximum is
also 4 when SHA2-384/512 are not used with HMAC. Also, for these typical uses cases only one IRR
(insert/append result instruction) is required.
Since the data is appended aligned to a 32-bit word the length in the length field of the result descriptor is
at most 35 bytes less than the amount of written output bytes, assuming these standard use cases.
Notes:
1. When the IP_TUNFIX instruction determined that the inner IP header is NOT an IPv4 or IPv6 header
(based on the IP header version field in bits [7:4] of the first byte of the header, this should be 4 for
IPv4 and 6 for IPv6), it will NOT do any updates. This is optionally reflected by a CLE errorcode in
the result token, depending on the settings in the EIP96_ECN_ERR_CFG register.
2. This instruction must always be located after the instruction Types 1 and 2.
REPLACE_BYTE
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode data byte D STAT R offset in output stream
1 0 1 1 – – – – – – – – 0 – – 0 – – – – – – – – – – – – – – – –
offset in output stream: The offset to the data byte in the output data stream to be overwritten.
R: When set to ‘0’, this instruction is a REPLACE_BYTE instruction.
STAT: Refer to Section 8.3.2.1 for a description of this field.
D: dummy, reserved. Set to ‘0’.
data byte: The byte of data to be used to overwrite a byte in the output data stream or appended to the
data stream.
opcode: Refer to Section 8.3.4 for a description of this field.
RESERVED
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode
1 1 0 0 – – – – – – – – – – – – – – – – – – – – – – – – – – – –
VERIFY_FIELDS
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode S SP CS P reserved STAT H length
1 1 0 1 – – – – – – – – – 1 1 0 0 0 0 0 0 0 0 0 0 – – – – – 0 0
length: Indicates the number of hash result bytes that needs to be compared, valid values are:
0001100: 12 bytes
0010000: 16 bytes
0010100: 20 bytes (SHA-1, SHA-2, SHA-3 and SM3 only)
0011000: 24 bytes (SHA-2, SHA-3 and SM3 only)
0011100: 28 bytes (SHA-2, SHA-3 and SM3 only)
0100000: 32 bytes (SHA-2, SHA-3 and SM3 only)
0110000: 48 bytes (SHA-2 and SHA-3 only)
1000000: 64 bytes (SHA-2 and SHA-3 only)
H: Set this bit to ‘1’ to verify the hash result.
STAT: This field must always be set to ‘11’.
reserved: Reserved. These bits should be set to ‘0’.
P: Set this bit to ‘1’ to verify padding. (Set to ‘1’ only if the padding type allows verification.)
CS: Set this bit to ‘1’ to verify the checksum.
SP: Set this bit to ‘1’ to verify the retrieved SPI.
S: Set this bit to ‘1’ to verify the sequence number. Refer to Appendix B.4.3 ‘Sequence number check’.
CONTEXT_ACCESS
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
result
type
opcode length origin STAT res U F P D reserved offset
1 1 1 0 – – – – – – – – – – – 0 0 – – – – 0 0 0 – – – – – – – –
data (optional), max = 1 dword
F and P: Fail and Pass bit combinations. Together, these bits are also referred to as the ‘result type’ field.
00: Execute the CONTEXT_ACCESS instruction immediately. When both bits are set to ‘00’,
this instruction can be executed anytime, even before packet processing.
When the token header word has the ‘CT’ bit set to ‘1’, all instructions with F and P set to
‘00’are ignored and therefore not executed. Setting ‘CT’ to ‘1’ results in an autonomous
sequence number update, initiated and controlled by the EIP-96. For outbound
operations with the ‘CT’ bit set to ‘1’ the sequence number update instruction is not
required, however when it is available, it must have the F and P bits set to ‘0’.
01: Execute the CONTEXT_ACCESS instruction only if all EIP-96 processing has completed
successfully, (without errors).
10: Execute the CONTEXT_ACCESS instruction only if all EIP-96 processing has completed
unsuccessfully. In this case, the VERIFY_FIELDS instruction resulted in one of more of the
following errors: error codes E9 through E13; see Table 34 for error code descriptions.
Executing the CONTEXT_ACCESS instruction in these cases could be useful in debugging or
keeping statistical data.
11: Execute the CONTEXT_ACCESS instruction only if all EIP-96 processing has completed,
successfully or unsuccessfully.
U: – Use token data when processing this instruction. There can only be one dword of data immediately
following the token instruction. The ‘origin’ field must be set to ‘11011’ and ‘length’ field must be ‘0001’ in
this case.
res: Reserved, must be set to ‘00’.
STAT: = 11 – last instruction, the use of this field is optional, except when enabling the ‘CT’ bit in the token
header. If the ‘CT’-bit in the token header is set to ‘1’, the use of the STAT bits for context update
instructions is required. If a token must execute non-sequence number related updates, these must be done
with STAT bits set to ‘00’. For inbound operations, the sequence number and mask update instruction must
be the last instruction and must have STAT bits set to ‘11’.
origin: The ‘origin’ field is an offset pointing to the internal Context Record field(s) that need to be updated.
All internal registers can be read for insertion into the external Context Record. Note that only general-
purpose, IV, sequence number (and mask) internal registers are writable using this instruction. Typically,
only read actions are required to update the external Context Record.
Note that in Table 28, some of the internal registers are ordered to allow multiple fields to be inserted with
one instruction. For example, the registers highlighted in yellow (sequence number result and sequence
number mask, or IV0 through IV3) are typically written to the external Context Record with one instruction.
Table 28 ‘Origin’ Field Encoding for CONTEXT_ACCESS Instruction
length – The ‘length’ field indicates the number of dwords that need to be transferred. For XL masks
(defined by the setting in CCW0, see 9.2) a special coding for this field is devised: length = ‘1111’ will result
in a full XL mask transfer; length = ‘0000’ will result in an optimized transfer of changed mask words, with
possibly some overhead of unchanged mask words. The optimized transfer might even split the mask
transfer in upto 2 separate DMA’s instead of a single DMA, for wide apart changed mask words – but it is
still implemented as an atomic action to make sure the integrity of the mask update is preserved.
BYPASS_TOKEN_DATA
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
opcode data
1 1 1 1 data (28 bits only)
data (optional), maximum of 11 dwords beyond the initial 28 bits above
9 Context Record
9.1 Context Record Format
The context data contains processing parameters and keying data. The first two words of the Context
Record contain the options and information about the available fields in the Context Record. The sequence
of fields within a Context Record is fixed, however; when the Context Fetch Mode is set to Control Mode
not all fields are needed (see also Appendix C.1.2.1). The length of some fields is variable. For example, the
length of the inner and outer digest registers indicated by Word k, Word l, depends on the selected options
and algorithms in the first two context words (Context Control Words 0 and 1).
Table 29 describes the default Context Record Address Map for use when Context Fetch Mode is set to
Address Mode. Note that this Context Record is 0x35 words (53 decimal) in length. Table 31 describes an
example Context Record used with Context Fetch Mode set to Control Mode.
Note: All Context Record fields that represent integer values are to be specified in little-endian format.
Therefore, the least significant bit of the value must end up at the bit location with the lowest
index. The following fields are treated as integers: context_length in Context Control Word 0,
digest_cnt, SPI, and sequence number.
Table 29 Context Record Address Map for Context Fetch Mode = Address Mode
The choice for the Address set (the rightmost column in Table 29 above) can be made clear using below
decision table, Table 30.
Table 30 Decision Table for Address Set for Context Fetch Mode = Control Mode
Table 31 Example Context Record Address Map for Context Fetch Mode = Control Mode
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Crypto_Algorithm
Ext_CTX_Format
Hash_Algorithm
Context_Size
Seq_Append
Digest_Type
(optional)
Mask_1
Mask_0
packet-based
Seq
SPI
key
ToP
options
ARC4/XTS_Stateful / IV_shift
Crypto_Alg_Extended
Encrypt_Hash_Res
context fetch mode
Seq_Num_Option
Feedback Mode
Crypto Mode
Hash_Store
crypto store
Pad_Type
digest cnt
IV format
reserved
IV3
IV2
IV1
IV0
/
In the table, the orange fields indicate whether the value is part of the context. The yellow fields indicate
the length and modes of operation. The grey fields are reserved (with the exception of Context_Size and
packet-based options, see below). If the fields are not appended to the token, the fields can be loaded from the
context.
The packet-based options and Context_Size fields are intended to be used if the context control words are
supplied in the input token, indicated by an active ‘C’ bit in the token control word (token word 0, see
7.2.1.1.7). However if the context control words are read directly from the Context Record the packet based
options bits are not applicable.
HMAC_Precompute When any of the supported Hash algorithms with HMAC digest type is selected
0b Use hash digest(s) as stored in Context Record.
1b Precompute the HMAC digests. The Hash Key should be provided as input data, while the
Context Record contains the usual context information, where any of the supported Hash
algorithms (MD5, SHA1, SHA2, SM3) must be selected, in combination with the HMAC digest
type. The HMAC precompute operation can also be performed as initial part of a combined
crypto-hash operation in basic and protocol modes.
Note: For SHA3 HMAC operations the initial HMAC digests precompute operation is neither
required nor supported.
Note: This option can only be chosen when the ‘Context’ Control Words are supplied in the
EIP-96 input token.
CCW0[13:8] – context_size:
Context_Size
Note: This field, when provided in the token, is only applicable when the Context Fetch Mode = Control Mode and
bit ‘C’ is set in the EIP-96 Input Token Header.
Note: In the context record, this field MUST be programmed with the correct context size (coding), otherwise this
may cause unpredictable behavior and/or poor performance.
In case the ext_ctx_format is selected (see CCW0[15]) while CCW0[13] is set to 0b, a special coding for the context
size applies, to allow support for Extra Large bitmasks (exceeding 384-bit, see CCW0[31:30]). See Table 33.
If CCW0[31:30] = 01b, an extra 32 words for the 1024-bit mask are added to the length represented in CCW0[12:8].
This field specifies the length in number of 32-bit words of a customized Context Record, over-riding the
context_size field of the PE_n_EIP96_CONTEXT_CTRL register (see section C.1.2.1). The length specified here does
not include the first ‘two’ words (Context Control Words 0 and 1), since these have already been provided with the
input token. Therefore, the new context is fetched starting at word address 0x02 (immediately after Context Control
Word 1).The maximum value of this field is 0x3F (63 words), which allows records of 65 words, including the two
command words.
With the introduction of XL masks (bitmasks which exceed 384 bits), the definition of the context_size is
transformed to enable representing any practicle context record size, according to below Table 33.
Here it can be seen that the coding only deviates from the straightforward coding under these conditions:
1. The configuration must support XL masks, and
2. Extended Format is selected (CCW0[15] = 1b), and
3. MSB of the context_size equals 0 (CCW0[13] = 0b).
Table 33 Coding of the context_size field
CCW0[14] – seq_append:
Seq_Append
When using the EIP-96 as a standalone core, this bit must be set to zero.
When set to one, and the sequence number append feature is enabled (see C.1.1.2), the sequence number is
appended to the result token.
Note: This feature should only be used when the EIP-96 is integrated in the EIP-197.
Several conditions must be satisfied to prevent errors in the result token and to allow successful appending of the
sequence number.
When this bit is set, one or two words sequence number (depending on the sequence number size) are added to the
result token as final words. Therefore, the EIP-96 input token may only have up to 10 bypass words, otherwise the
appended words won’t be visible in the result token. The length of the result token bypass field is increased with two
when this option is selected.
The bits [21:20] of the result token word7 indicate the appended sequence number size. These bits override the
existing value of these bits provided via the token bypass instruction.
00b: No sequence number appended to the output token
01b: 32-bit sequence number is appended
10b: 64-bit sequence number is appended
11b: Reserved
When ESN is selected (64-bit sequence numbering) and the sequence number checking is disabled, the EIP-96 still
estimates the 32 most significant bits of the extended sequence number (ESN) upon retrieval of the 32 LSB of the
sequence number from the processed packet. This is done together with a sequence number update after
processing. This estimation is required to allow a roll-over of the 32 MSB. To do a proper estimation of the ESN, the
EIP-96 assumes a replay window size of 1024-bits. The Context Record is always updated after successful
authentication with the 64-bit sequence number composed from the 32-bit sequence number from the processed
packet and the estimated ESN. If authentication fails, no update is done. In this mode it is assumed that no mask is
available.
Note: The sequence number append feature cannot be used together with the VERIFY_FIELDS sequence number
instruction.
Note: Only the 256-bit and larger masks allow 64-bit sequence number append. Smaller bit masks would only allow
‘no appending’ or ‘32-bit sequence number append’.
CCW0[15] – ext_ctx_format:
Ext_CTX_Format
Extended context format.
This bit is supported by the standard availability of sequence number masking, of at least 256-bit.
If this bit is set to 1b, the sequence number and all potential sequence number mask words are added at the end of
the Context Record on a fixed location. Refer to Table 29 for more details on the location of the sequence number
fields.
This bit changes the meaning of Seq, Mask0 and Mask1 bit-fields in the Context Control Word 0 (bits [31:28]); refer
to the description of these bits for details.
CCW0[16] – key:
Key Key operation
0b No key is loaded.
1b The key in the Context Record is loaded to be used by the crypto algorithm selected in the
Crypto_Algorithm and Crypto_Alg_Ext fields.
CCW0[22:21] – digest_type:
Digest_Type Digest used
00b Use the algorithm’s initial digest. In this case, no digests are stored in the Context Record.
Use for Poly1305 when combined with ChaCha20 One-Time Key precalculation.
01b Use the inner digest of the Context Record. In this case, only the precomputed inner digest is
available in the Context Record. For SHA-3, the Keyed-hash algorithm is selected. Refer to
section B.2.
10b Use for hash algorithms AES-GCM, AES-XCBC-MAC and Poly1305: In this case, one or more key
fields are available in Context Record, see sections B.2.6 and B.2.7.
Use for CRC-32 algorithm: Loading of initial state for CRC-32 is controlled via bit [0] of the
packet-based options field: ‘1’ = start from value 0, ‘0’ = start from digest field of the Context
Record.
11b Use for HMAC. The precalculated inner and outer digest values must be made available in the
Context Record for MD5, SHA1, SHA2, SM3. For SHA-3, the original key (limited to block size) is
available in the Context Record
CCW0[26:23] – hash_algorithm:
Hash_ Algorithm Digest_Type(s) Hash algorithm used Digest length (32-bit words)
0000b 00b/01b MD5 (basic) 4
10b CRC-32 15
11b MD5-HMAC 2x4
0001b 00b/01b reserved, do not use -
10b AES-XCBC-MAC1 (128-bit key) 3x4
11b 2 (2x)5
SHA-1-SSL-MAC
0010b 00b/01b SHA-1 (basic) 5
10b AES-XCBC-MAC1 (192-bit key) (2x4)+8
11b SHA-1-HMAC 2x5
0011b 00b/01b SHA2-256 (basic) 8
10b AES-XCBC-MAC1 (256-bit key) (2x4)+8
11b SHA2-256-HMAC 2x8
0100b 00b/01b SHA2-224 (basic) 8
10b GHASH 4
11b SHA2-224-HMAC 2x8
0101b 00b/01b SHA2-5123 (basic) 16
10b ZUC4 4
11b 3 2x16
SHA2-512-HMAC
0110b 00b/01b 3 16
SHA2-384 (basic)
10b 4 4
SNOW 3G
11b 3 2x16
SHA2-384-HMAC
0111b 00b/01b 10 8
SM3 (basic)
10b 4 4
Kasumi f9
11b 10 2x8
SM3-HMAC
1000b-1010b 00b-11b Reserved
1011b 00b SHA3-2566 (basic) 8
01b 6 34 (block size)
Keyed-hash SHA3-256
10b 7 0
Reserved
11b 6 34 (block size)
SHA3-256-HMAC
1100b 00b 6 8
SHA3-224 (basic)
01b 6 36 (block size)
Keyed-hash SHA3-224
10b 7 0
Reserved
11b 6 36 (block size)
SHA3-224-HMAC
1101b 00b 6 16
SHA3-512 (basic)
01b 6 18 (block size)
Keyed-hash SHA3-512
10b 7 0
Reserved
11b 6 18 (block size)
SHA3-512-HMAC
Hash_ Algorithm Digest_Type(s) Hash algorithm used Digest length (32-bit words)
1110b 00b 6 16
SHA3-384 (basic)
01b 6 26 (block size)
Keyed-hash SHA3-384
10b 7 0
Reserved
11b 6 26 (block size)
SHA3-384-HMAC
1111b 00b 8,9 4
Poly1305
01b/11b Reserved -
10b 9 4
Poly1305
1
AES-XCBC-MAC uses separate AES-CBC encrypt-only core. The key length is for the encryption key K1; other keys
used in the algorithm (K2 and K3) are always 128 bits. The AES-CCM mode uses key lengths of 128-bit, 192-bit
and 256-bit.
2
SHA-1-SSL-MAC is a dedicated SHA-1-MAC algorithm used only for SSL. This option is available by default in all
configurations.
3
SHA2-512 and SHA2-384 are only available in EIP-96*e configurations and ‘reserved, do not use’ in other
configurations.
4
Kasumi, SNOW 3G and ZUC are only available in the EIP-96iew and EIP-96iesw configurations and ‘reserved, do
not use’ in other configurations.
5
CRC-32 digest length is 32-bit long (1 x 32-bit word), while in the Context Record, 4 x 32-bit words are required.
6
SHA-3 hash functions are only available in EIP-96*k configurations and ‘reserved, do not use’ in other
configurations.
7
Hash continuation is not supported for SHA-3.
8
Poly1305 when ChaCha20 is used for One-Time Key precalculation: The R key and S key are not fetched from the
context, see B.2.4.
9
Poly1305 MAC functions are only available in EIP-96*b configurations and ‘reserved, do not use’ in other
configurations.
10
SM3 functions are only available in EIP-96*c configurations and ‘reserved, do not use’ in other configurations.
CCW0[27] – spi:
SPI Key operation
0b No SPI[31:0] or SSRC[31:0] fields are present in the Context Record.
1b Either the SPI[31:0] or SSRC[31:0] identification fields are present in the Context Record.
CCW0[29:28] – seq:
Ext_CTX_Format1 Seq Counter size Indication
0b 00b N/A Sequence number data is not present in the Context Record. Hence,
if a token instruction checks for or uses the sequence number,
results are unpredictable.
0b 01b 32-bit Sequence number [31:0] field is present in the Context Record.
0b 10b 48-bit Sequence number [47:0] field is present in the Context Record.
0b 11b 64-bit Sequence number [63:0] field is present in the Context Record.
1b 00b 32-bit Sequence number [31:0] field is present in the Context Record.
1b 01b 64-bit Sequence number [63:0] field is present in the Context Record.
1b 10b 48-bit Sequence number [47:0] field is present in the Context Record.
1b 11b Reserved Reserved
1
Extended Context Format, refer to CCW0[15]
CCW1[4:0] – ARC4_key_length:
ARC4_Key_Len ARC4 key length1
00000b – 00100b reserved, do not use
00101b 5 Bytes2
00110b 6 Bytes2
00111b 7 Bytes2
01000b 8 Bytes2
01001b 9 Bytes2
01010b 10 Bytes2
01011b 11 Bytes2
01100b 12 Bytes2
01101b 13 Bytes2
01110b 14 Bytes2
01111b 15 Bytes2
10000b 16 Bytes
10001b – 11111b reserved, do not use
1
ARC4 is only available on the EIP-96is and EIP-96ies configurations.
2
The context must always contain 4 (32-bit) words of ARC4 key material if ARC4 is selected. If this field indicates a
shorter key length, only the first N bytes of the key will be used. For example using an ARC4 key of five bytes,
only the first key word and bits [7:0] of the second key word contain valid key data that is used by the ARC4-
core.
CCW1[8:5] – IV[3:0]:
IV_3 IV_2 IV_1 IV_0 IV words present and loaded1
0b 0b 0b 0b No IV words are part of the Context Record
0b 0b 0b 1b IV0 (= IV[31:0])
0b 0b 1b 0b reserved, do not use
0b 0b 1b 1b IV1 + IV0 (= IV[63:0])
0b 1b 0b 0b reserved, do not use
0b 1b 0b 1b reserved, do not use
0b 1b 1b 0b IV2 + IV1 (= IV[95:32])
0b 1b 1b 1b IV2 + IV1 + IV0 (= IV[95:0])
1b 0b 0b 0b reserved, do not use
1b 0b 0b 1b IV3 and IV0 (=IV[127:96] and IV[31:0])
1b 0b 1b 0b reserved, do not use
1b 0b 1b 1b reserved, do not use
1b 1b 0b 0b reserved, do not use
1b 1b 0b 1b reserved, do not use
1b 1b 1b 0b IV3 + IV2 + IV1 (= IV[127:32])
1b 1b 1b 1b IV3 + IV2 + IV1 + IV0 (= IV[127:0])
1
IV0 is also used for NONCE, IV3 is also used to store the counter for AES/SM4/BC0-CTR, AES/SM4/BC0-
ICM and ChaCha20 modes.
CCW1[9] – digest_count:
Digest_Count Operation
0b No digest count is stored in the Context Record.
Alternatively, when SHA-3-Keyed-hash (only available on the EIP-96k) is the selected
algorithm, the key length is equal to the block size of the specified SHA-3 algorithm – the key
being available in the digest words of the Context Record.
1b A digest count is stored in the Context Record (in the first word following the first hash digest)
– this count holds the number of 512-bit blocks1 that are already processed by the hash
engine.
Alternatively, when SHA-3-Keyed-hash (only available on the EIP-96k) is the selected algorithm
in context control word 0 “hash_algorithm”/”digest_type”, the key length is provided in bits
[31:24] of the last digest word2 in the Context Record.
1
For SHA2-384/512 (available in EIP-96ie / EIP-96ies configurations), where the block size equals 1024 bits, the
digest count word still holds the number of processed bits in 512-bit units, meaning that the field is incremented
by 2 for each block processed.
2
For SHA3-512, the last digest word is Word l+1, for SHA3-384 this is Word l+9, for SHA3-256 this is Word l+17, for
SHA3-224 this is Word l+19, refer to Context Record Address Map for Context Fetch Mode = Address Mode Table
29.
CCW1[12] – crypto_store:
Crypto_Store Operation
0b Do not store updated IV values and ARC4 I/J pointers back in internal context registers (the
latter for EIP-96is / EIP-96ies configurations only).
1b Store updated IV values and ARC4 I/J pointers back in internal context registers (the latter for
EIP-96is / EIP-96ies configurations only) – CONTEXT_ACCESS instructions must be used to write
these registers (and ARC4 state) out to the Context Record (if needed and applicable). When
AES-XTS is selected (EIP-96iex / EIP-96ieswx / EIP-96ieswxk) the Tweak value is stored.
CCW1[13] – enable_prepacket_operation:
enable pre-packet Operation
op.
0b default, for regular operations this bit must be set to zero
1b Enables the option to perform a decryption operation ahead of the actual packet processing. If
this bit is set to 1, it is possible to re-initialize the datapath such that it restarts the crypto
processing FSM and reloads the original IV. The datapath re-initialization is executed with
propagation of the ‘Last’-bit in a token instruction.
Refer to Section 8.4.8 for more details.
Note: This bit only needs to be set to 1 for (single pass) inbound SSL/TLS/DTLS operations
that use block cipher encryption. For these operations, decryption of the last two data
blocks needs to be done ahead of the actual packet processing to retrieve the padding
length. After decryption of the last two data blocks of the packet to determine the
padding length (and thus the location of the hash result), the datapath needs to be re-
initialized when the processing of the packet is started.
Note: It is not recommended to set this bit for operations other than inbound SSL/TLS/DTLS
with block ciphers.
CCW1[16:14] – padding_type:
Pad_Type5 AEAD_mode4 Padding type used
000b 0b Zero padding
001b 0b PKCS7 padding
010b 0b Constant SSL padding 3
011b 0b RTP padding
100b 0b IPsec padding, returned value is next header 2
101b 0b TLS1.0, TLS1.1, TLS1.2 padding
1b TLS1.3 padding
110b 0b SSL padding (no check) 3
111b 0b IPsec padding, returned value is next header 2,
no pad sequence check on removal 1
1
The use case for this setting is when an inbound packet contains IPsec padding filled with arbitrary data. The EIP-
96 will then remove the padding sequence using the length defined by ‘pad length’ byte. This is different from
code 100b, where first the padding sequence is verified and then the padding is removed only when the
sequence is correct and the ‘pad length’ byte matches the ‘sequence length’.
2
Returned next header value will be placed in result token.
3
Removal and checking of SSL padding can only be selected if SSL padding is constant, followed by the padding
length (eg. 90-90-90-03), however SSL does not explicitly define the padding fields to be constant. If an inbound
packet does not necessarily has constant SSL padding, the removal can only be done by the depadding logic of
the EIP-96 when no check is done on the padding. In this case pad type ‘110’ should be selected.
4
The AEAD_mode is defined by CCW1[3], and only for non-feedback modes: AES/DES/SM4/BC0 with CFB/OFB do
not support AEAD_mode. For non-listed combinations of Pad_Type and AEAD_mode, the used padding type is
‘reserved, do not use’.
5
This padding type defines the type to verify, in case of inbound operations. Must be set to 000b for outbound
operations.
CCW1[17] – encrypt_hash_result:
Encrypt_Hash_Res Operation (applicable to AES-GCM and AES-CCM processing only)
0b The generated hash result is not encrypted, creating the ICV (integrity check value) directly.
See the description of the INSERT_REMOVE_RESULT instruction in section 8.6.1.1.
1b The generated hash result is encrypted to create the ICV (integrity check value). See the
description of the INSERT_REMOVE_RESULT instruction in section 8.6.1.1.
This bit MUST be kept 0b when not performing AES-GCM or AES-CCM operations.
CCW1[19] – hash_store:
Hash_Store Operation
0b Calculated hash digests are not stored in the internal digest result registers.
1b Calculated hash digests are stored in the internal digest result registers – a CONTEXT_ACCESS
instruction must be used to write these registers out to the Context Record (if needed).
CCW1[23] – disable_mask_update:
Disable_Mask_Upd Operation (for inbound packets only)
0b Update the sequence number mask during inbound sequence number verification.
1b Do not update the sequence number mask during inbound sequence number verification. This
allows checking out-of-order packets within a programmable window size without replay
protection.
CCW1[31] – fetch_mode:
Fetch_Mode Context Record mode
0b ‘Control mode’ – only relevant fields stored and fetched. May be overruled by bits [9:8] of the
PE_n_EIP96_CONTEXT_CTRL register (see section C.1.2.1).
1b ‘Address mode’ – fixed Context Record layout. May be overruled by bits [9:8] of the
PE_n_EIP96_CONTEXT_CTRL register (see section C.1.2.1).
Result Token
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
E14
E13
E12
E11
E10
E15
L N C B hash bytes H CLE reserved bypass data
Two errors in the result token have a different behavior in the EIP-96-f configurations:
1. In the standard EIP-96, error E0 occurs either when the pre-processor detects a wrong length
(instruction lengths, version packet length) or if the input DMA fetch reports an error. The latter cannot
happen in the EIP-96-f but a similar case is detected and reports the same error instead. If
data_in_done is asserted before the number of written words matches with the packet length field
from the input token, the EIP-96-f will trigger E0.
2. Error E15 cannot occur in the EIP-96-f, and is therefore always zero in that case.
Errors E4, E5 and E6 have different meaning when E14 bit is set. When this is the case, E4 indicates a PRNG
error, E5 indicates a context read DMA error and E6 a context read ECC error. Refer to Table 35.
Table 35 Result Token E14, E6, E5 and E4 errors
{E14, E6, E5, E4} Description
0--- E4: If set to ‘1’: Hash block size error (basic hash only)
E5: If set to ‘1’: Invalid command/algorithm/mode/combination
E6: If set to ‘1’: Prohibited algorithm
1000 Time-out fatal error.
This error should never occur in the EIP-96 when processing regular operations/tokens.
The timeout counter runs if no data movement within the EIP-96 is detected and fires
after this situation has persisted for a fixed number of clock cycles (approximately 1000
clock cycles). The actual number of clock cycles is dependent on the EIP-96 core
configuration.
1010 Context read DMA error. The EIP-96 has an indication from the external system that
context cannot be read due to DMA error.
1100 Context read ECC error. The EIP-96 has an indication from the external system that
context is corrupted as detected by the external ECC logic.
1110 Both context read DMA and ECC error
10011 PRNG error. The EIP-96 has an indication from the external system that the external PRNG
(DRBG) requires an initial seed, reseed, or that a duplicate was produced.
1
Only defined for external PRNG (DRBG).
Bypass Data:
This field indicates the length of the result token bypass data in dwords. Valid values are from 0 to 12 (i.e.
10 + maximum of 2 appended seq_num words).
Output Packet Pointer/identifier:
This is a direct copy of the ‘output packet pointer/identifier’ from the input token. Refer to 7.2.1.3 for
details.
Pad Info 0 and Pad Info 1:
Definition of these fields depend on the applied padding type, as outlined in Table 37 below.
Table 37 Pad Info Fields Definition
Next Header:
The ‘next_header’ field contains the ‘next header’ result value intended for updating the IP header,
specifically, the IPv4 ‘protocol’ field or IPv6 ‘next header’ field. This value is retrieved during de-padding.
The ‘next header’ field is only applicable to IPsec padding;
When a pre-packet crypto operation is enabled (required for SSL/TLS/DTLS inbound processing with block
ciphers) and a processing error occurs, this field contains the retrieved padding length (the result of the pre-
packet decryption operation). Processing errors will only occur if the retrieved padding length is larger than
the actual encrypted payload, such that internal length calculations over- and/or underflow.
In all other cases, this field is set to zero (8’h00).
Pad Length:
The ‘pad_length’ field contains the number of detected (and removed) padding bytes. Applicable padding
types are PKCS#7, RTP, IPsec, TLS (1.0, 1.1, 1.2) and SSL. Otherwise, this field is set to zero (8’h00).
Pad long, Pad Length Hi, Pad Length Lo:
The ‘pad_long’ bit is the most significant bit of Pad Info 1, and denotes if the TLS1.3 padding is removed
from the inbound packet (pad_long equals 0b), or not (pad_long equals 1b). The detected (and possibly
removed) pad_length[14:0] is defined by concatenating ‘pad_length_hi[6:0]’ and ‘pad_length_lo[7:0]’.
Padding with size pad_length > 256 bytes is not removed from the inbound packet.
A.2 Postprocessing
A.2.1 Result Token
After the EIP-96 completes processing of a token, a result token is generated. If no errors occurred during
processing, output data will also be available.
For result token examples, refer to document EIP-96 Operations Manual with Token Examples [2].
E9
E8
E7
E6
E5
E4
E3
E2
E1
E0
Optional token Optional
E15
L N C B hash bytes H bypass data
bypass data[4:0] token bypass data[15:5]
output packet pointer/identifier
When bit [30] of the token header word is set and ip_len_delta_en field of the Output Buffer Control Register is
set to 1b, the result token has the following format (type 2):
EIP-197 compatible result token (type 2)
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
E14
E13
E12
E11
E10
E15
L N C B hash bytes H bypass data
bypass data[4:0] token bypass data[15:5]
output packet pointer/identifier
IRR Instruction Example (Insert Length, Next Header, and Checksum) with bypass
In this example the inserted length is the ‘total length’ minus bypass offset. This is the ‘result packet length’
field in the result token minus the offset pointer used in this instruction.
Since the offset in the output stream must point to the length field, by default it is set to 2 for IPv4 and 4 for
IPv6. In case there is bypass data in front of the packet, the “offset in output stream” can be set to the bypass
length plus 2 (for IPv4) or 4 for (IPv6).
The inserted length is corrected based on the checksum setting. IPv4 is assumed with checksum
modification (bit[17] in the IRR instruction set to ‘0’).
offset in output stream: The location in the output data stream to insert the actual packet length calculated
by the EIP-96 after packet processing. The offset minus (2 or 4) is subtracted from the inserted length. In the
case of IPv6, also the ‘length’-field value is subtracted from the inserted length. This is assumed to be set to
40 (0x28), representing the IPv6 header length.
If this field is set to 0xfffe, appropriate fields are appended to the packet. For packets that do not fit in the
EIP-96’s output packet buffer or for EIP-96-f small buffer configurations, the result is automatically
appended to the packet. When appending must be forced and an offset correction must be done, the actual
IP header offset can be subtracted from 0xfffe (when it is less then 254 bytes). The difference between
0xfffe and the programmed offset (when larger than 0xff00) is subtracted from the length field that is
appended after the packet. If the offset is odd, which means the LSB (bit[0]) of the ‘offset in the output
stream field’ is one, the appending is done shifted with 1 byte to ease the replacement in the result packet.
STAT[0]: This bit must be set to ‘0’, indicating that a checksum update is required as a result of this
operation. This bit is supposed to be cleared to ‘0’ with IPv4 and set to ‘1’ with IPv6.
CS: If set to ‘1’, this operation requires the checksum field to be updated.
For the description of the other fields, refer to 8.6.1.
Reserved
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
The following is an example from NIST Special Publication 800-38A [Appendix F]. As indicated in the
example, Key data needs to be byte swapped when stored in the Context Record Key fields. The example
below is a detailed diagram specifying the byte order within a Key context word.
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Key 0
Byte 03 Byte 02 Byte 01 Byte 00
0x16 0x15 0x7e 0x2b
0 0 0 1 0 1 1 0 0 0 0 1 0 1 0 1 0 1 1 1 1 1 1 0 0 0 1 0 1 0 1 1
Example 1: Key 1
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Key 1
Byte 07 Byte 05 Byte 05 Byte 04
0xa6 0xd2 0xae 0x28
1 0 1 0 0 1 1 0 1 1 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 0 1 0 1 0 0 0
The following is an example from [RFC8439]. Again, as indicated in the example, Key data needs to be byte
swapped when stored in the Context Record Key fields. The example below is a detailed diagram specifying
the byte order within a Key context word.
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Key 0
Byte 03 Byte 02 Byte 01 Byte 00
0x83 0x82 0x81 0x80
1 0 0 0 0 0 1 1 1 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0
Example 2: Key 1
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
Key 1
Byte 07 Byte 05 Byte 05 Byte 04
0x87 0x86 0x85 0x84
1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 0 1 0 0 0 0 1 0 1 1 0 0 0 0 1 0 0
HMAC SHA-3
Since an intermediate hash result for SHA-3 – having a size of 1600 bit – exceeds acceptable Context Record
storage limits, the HMAC algorithm for SHA-3 will follow the original result digest calculation scheme,
outlined above. This means that no Precalculation is performed for SHA-3, so the digest fields of the the
Context Record contains K+, which equals the original key value K or H[K], padded with zeroes up to the
block size of the used SHA-3 algorithm.
Keyed-hash SHA-3
In addition, Keyed-hash is supported, using the SHA-3 algorithm.
The result digest is generated as follows:
result digest = HK(K, M)
Where: HK = H[K || M]
The supported key size |K| ranges from 1 byte to ‘block size’ bytes, where the block size is dependent on
the used SHA-3 algorithm (also see 9.2.1):
• SHA3-224: block size = 144 bytes (1152 bits)
• SHA3-256: block size = 136 bytes (1088 bits)
• SHA3-384: block size = 104 bytes (832 bits)
• SHA3-512: block size = 72 bytes (576 bits)
B.2.2 SM3
The SM3 specification defines the result of a hash calculation as a sequence of 32-bit words:
• W0 through W7 (only available in EIP-96*c configurations)
The mapping of bytes and words from the SM3 specification onto EIP-96 context words is similar to SHA2-
256, as explained in Section B.2.1.
B.2.3 MD5
The MD5 algorithm defines the result of a hash operation as a sequence of bytes b15..b0, as follows:
Result of a MD 5 operation per the MD 5 spec, in bit string format , per MD5 spec:
“abcdefghijklmnop”
a b c d e f g h i j k l m n o p
Result of a MD 5 operation per the MD 5 spec, in word A ,B,C,D format, per MD 5 spec:
Word A Word B Word C Word D
b3 b2 b1 b0 b7 b6 b5 b4 b11 b10 b9 b8 b15 b14 b13 b12
B.2.4 Poly1305
The Poly105 algorithm uses a 32-byte one-time authenticator key (OTK), partitioned into two 128-bit keys
as inputs, the R key and the S key. When Poly1305 is used as standalone basic MAC, these keys are loaded
via the Hash Digest 1 field, as indicated in the next diagrams.
Alternatively, when used together with ChaCha20, the EIP-96 can be configured to let the ChaCha20
algorithm generate an OTK, which is provided to the Poly1305 algorithm directly, instead of any key(s)
available in the context record. The OTK will not be made available in the context record.
The Poly1305 algorithm defines the result (TAG) of a MAC operation as a sequence of bytes b15..b0, as
follows:
Result of a poly1305 operation per the Poly1305 spec, in bit string format:
“abcdefghijklmnop”
a b c d e f g h i j k l m n o p
Result of a poly1305 operation per the Poly1305 spec, in Word A,B,C,D format:
Word A Word B Word C Word D
b3 b2 b1 b0 b7 b6 b5 b4 b11 b10 b9 b8 b15 b14 b13 b12
B.2.5 CRC-32
CRC-32 algorithm is defined in IEEE 802.3. The CRC-32 operation in EIP-96 is supported as hash operation
and can be used stand alone and also in combination with other cipher algorithms. The CRC-32 algorithm
works on byte basis, so supports messages not multiple of 4 bytes.
CRC-32 can be used for a single complete CRC operation. In such case, there is no need for digest fields to
be present in the context.
CRC-32 can also be used in a chained manner: starting from the default state for one packet, saving the
state into the Context Record and loading this state for the next packet. CRC-32 initialization is controlled as
described in section 9.2.1. Note that the intermediate states are "closed", meaning that the actual 32-bit
state is internally XOR-ed with 0xffffffff before it is returned in DIGEST0_0 field in the context record, as if it
were the final CRC-32 result. For proper continuation, this same "closed" state must be provided in
DIGEST0. Consequently, reusing an intermediate CRC-32 state from a different source requires that the host
must first close the CRC-32 intermediate state by XOR-ing with 0xffffffff before providing it to the
DIGEST0_0 field of the context. Likewise, reusing the intermediate CRC-32 state outside the EIP-96 requires
that the host must first reverse the closed CRC-32 state by XOR-ing the DIGEST0_0 value with 0xffffffff
before presenting it elsewhere.
The output of the CRC-32 algorithm is an integer value in little-endian format. The same endianness is used
when inserting the CRC-32 into the packet or saving the CRC-32 result into the Context Record: byte zero
(lowest significant byte) is inserted first and so on.
The result of the encryption operation will be a 128-bit value for each the GHASH key H. This values need to
be stored in the digest0. Assume the result of an AES encryption is a 128-bit wide bit sequence, with bit [0]
shown at the left-hand side, as per the AES specification, which is stored in 32-bit dwords on a little-endian
machine, as follows:
The reason for having K1 'last' is that in the XCBC 'base' specification, K1 is the only key that is actually used
as key input to the AES algorithm; K2 and K3 are only used for XOR operations with AES result data.
Therefore, it can be expected that K2 and K3 will never exceed the size of an AES block (128 bits), whereas
K1 will scale with the key size used for AES in the AES-XCBC algorithm. The current configuration allows this
longer key to be stored in the Context Record without requiring extensive modifications to the existing HW.
At this point however the EIP-96 only support the AES-XCBC method as defined within the IPsec RFC's, using
128-bit AES keys.
Attention: When selecting AES-XTS, it is not allowed to enable a Hash Algorithm, therefore the Type of
Packet (ToP) field must be set to ‘0100’ or ‘0101’. Digest_Type and Hash_Algorithm must be set to
zeroes.
Hash Digest 1
This field is used to load Key2 for the AES-XTS algorithm.
IV fields
The Key 1 must be provided to the Cipher Key field, if key loading is not used. If key loading is used, it is
received via the key loading interface.
The Key 2 must be provided to the Hash Digest 1 field. Size of the field is 4, 6 and 8 x 32-bit words for 128-bit,
192-bit and 256-bit key respectively.
The ‘i’ or Tx (depending on chosen pre-calculation method) must be provided to the IV field. If ‘i’ or Tx is
loaded from the input token, the content of this field is ignored during the operation. If crypto state is saved
to the context, after the operation this field contains the last used Tx.
Optional IV fields
B.2.9.3 Authentication
Kasumi authentication only uses a digest. Since digests have a minimum size of four words, a 128-bit value
must be provided via the context. In this value the 64-bit kasumi key must be stored, as indicated in the
next diagrams.
Context – Control Format
B 3 2 1 0
W 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
0
Context control words
1
Cipher Key
Optional IV fields
B.3 SPI
The Security Parameter Index to be put in outbound ESP or AH packets or to be verified in the case of
inbound ESP or AH packets. The SPI is not changed by any operation. This is a little-endian number.
2. XL masks, with replay protection of 2^M, and more than 384 bits, e.g., a 1024-bit mask in case M=10:
The mask field is regarded as a big-endian string of 2^M bits. The bit representing the packet with the
most recent sequence number S has index (S MOD 2^M) and will therefore always be set to ‘1’. All
other bits represent sequential packets in the past. The reason for this different implementation for XL
masks is that it allows to update only some, typically small, portions of the mask, instead of always
having to update the full mask like for "normal masks".
A block diagram of the sequence number logic is illustrated below.
EIP-96
Context RAM
Internal context result of RETRIEVE
memory sequence instruction
context fetch number
Context record overflow
32/48/64-bit
check
counter
CONTEXT_ACCESS
sequence number instruction sequence number increment result sequence
low (seq. num. update) low number high
sequence number sequence number result sequence
Context DMA
replay check
result of
sequence
number check
• The XL masks allow a reduced window check and update, the reduction to an 2^L-bit window is
selectable on packet basis between 64 and 2^M bits.
When the configuration supports XL masks, ‘Ext_CTX_Format’ is set to ‘1’, and the ‘Context_Size’ field is set to
less than 32 [words] except 0, the inbound operation is processed using an XL mask. The following table
applies.
Table 40 Modes with inbound sequence number checking for XL masks
The sequence number check is performed during processing and is reported when the packet is done.
Optionally the context update can be executed or discarded if a check fails.
Note that some RFCs advise to perform an initial sequence number (anti-replay) check before a packet is
processed to prevent a DoS attack. This initial sequence number check can be done outside the EIP-96
before the packet is passed to the EIP-96. When implementing this initial external check, the current
sequence number and mask from the Context Record can be used. Independent of the result, the sequence
number or mask should never be updated externally, however, that packet must be dropped if it is replayed
(check fails). Therefore, there is no need to update the sequence number and mask externally, since this is
done by the EIP-96 if the packet is processed completely and all other checks pass.
128 which is the selected reduced mask. The sequence number and mask are not updated and the packet is
to be dropped. The ‘sequence number check error’ is generated.
Case 5: The packet with sequence number of 1980 is received, appearing in the past but within the window
of 2^M (or 2^L) packets. The bit with index (1980 MOD 2^M) is set.
• If this bit was already set, then a packet with sequence number 1980 has already been received, so this
packet is dropped. The Context Record is not updated. The ‘sequence number check error’ is
generated. This is a replay protection case.
• If this bit was not set, then either
a packet with sequence number 1980 has not been previously received, or
a packet with this number was received previously but then fell outside a reduced mask window –
and was dropped accordingly without updating the mask.
This fact is recorded by setting the mask bit with index (1980 MOD 2^M) to ‘1’ and updating the
Context Record. The sequence number is not updated.
B.5 IV
Like Key data, all IV data is little-endian. The IV can be fetched and stored to the IV location in the Context
Record.
If (3)DES is used, IV 0 and 1 contain IV data. For AES/SM4/BC0-CBC and ChaCha20 mode, all four IV words
are valid. For AES/SM4/BC0-CTR mode the Nonce will always be part of the context, stored in the location of
IV 0; optionally IV 1, IV 2 and IV 3 can be used to fetch and store an intermediate IV.
The following is an example from NIST Special Publication 800-38A [Appendix F]. As indicated in the
example, IV data needs to be byte swapped when stored in the Context Record IV fields. Below the example
is a detailed diagram specifying the byte order within an IV context word.
NIST SP 800-38a:
AES Key In: 2b7e1516 28aed2a6 abf71588 09cf4f3c
IV In: 00010203 04050607 08090a0b 0c0d0e0f
AES Data In: 7649abac 8119b246 cee98e9b 12e9197d
AES Data Out: 6bc1bee2 2e409f96 e93d7e11 7393172a
Context record:
IV 0[31:0]: 03020100 (or NONCE)
IV 1[31:0]: 07060504
IV 2[31:0]: 0b0a0908
IV 3[31:0]: 0f0e0d0c
Example 1: IV 0
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IV 0
Byte 03 Byte 02 Byte 01 Byte 00
0x03 0x02 0x01 0x00
0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0
For ChaCha20, the mapping of the 32-bit counter and per-packet IV is made consistent with AES-CTR mode.
The incrementing (block-)counter is mapped to IV3, the 96-bit per-packet IV is mapped to IV0, IV1, IV2.
The following is an example from [RFC8439]. As indicated in the example, IV data needs to be byte swapped
when stored in the Context Record IV fields. Below the example is a detailed diagram specifying the byte
order within an IV context word.
Example 2: IV 0
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
IV 0
Byte 03 Byte 02 Byte 01 Byte 00
0x00 0x00 0x00 0x07
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1
Note that when using CTR, ChaCha20 and ICM mode in their native form (CTR and ChaCha20 require a 32-
bit counter, ICM requires a 16-bit counter), the counter values must be reset. For Counter Mode (CTR) and
ChaCha20, the 32 bits of the counter (IV 3) must be set to represent ‘one’ (0x01000000) and for ICM, the 16
bits of the counter (byte 03 and 02 of IV 3) must be set to zero (0x0000????, where ‘?’ is don’t care and may
be any value). A user has the flexibility to load a different initial counter value. Note that if ChaCha20 is used
to generate a one-time authenticator key for Poly1305, the counter should be set to zero (0x00000000).
However, when loading a counter that has not been reset, be aware that the EIP-96 implements a 32-bit
wide counter that rolls-over to zero at 232-1. When loading a different initial counter value, the user is
responsible for detection or prevention of the counter overflow. When using counter mode as ‘mode of
operation’, the counter should never overflow since it is a potential security risk if the same IV is used twice
(in combination with counter modes). If the reset values are used on a per packet bases, an overflow will
never happen. A packet will not contain over 16*216 bytes that need to be encrypted (in combination with
ICM). For CTR mode a packet can theoretically contain 16*2 32 - 32 payload bytes, before the counter
overflows. For ChaCha20, 64-byte blocks are counted, which is enough for 64*232 bytes.
Refer to Table 15 for the IV loading options.
The ARC4 State Record pointer points to the ARC4 State Record.
Absolute ARC4 pointer (EIP-96is, EIP-96ies, EIP-96iesw, EIP-96ieswx and EIP-96ieswxk): If this bit [18] in
register EIP96_TOKEN_CTRL_STAT is ‘0’, the ARC4 pointer in the Context Record is a relative pointer from
the base address of the context pointer in the token. If this bit is set to ‘1’, the ARC4-pointer in the Context
Record is an absolute pointer to the ARC4 State Record.
The most significant bit of the ARC4 State Record pointer indicates whether this is an absolute pointer or a
relative pointer. In the latter case, the used external DMA address is the context pointer, incremented with
the ARC4 State Record pointer.
TOKEN DATA
0x0080 Active Token word 0 R 0x00000000
0x0084 Active Token word 1 R 0x00000000
0x0088 Active Token word 2 R 0x00000000
0x008C Active Token word 3 R 0x00000000
0x0090 Active Token word 4 R 0x00000000
0x0094 Active Token word 5 R 0x00000000
0x0098 Active Token word 6 R 0x00000000
0x009C Active Token word 7 R 0x00000000
0x00A0 Active Token word 8 R 0x00000000
0x00A4 Active Token word 9 R 0x00000000
0x00A8 Active Token word 10 R 0x00000000
0x00AC Active Token word 11 R 0x00000000
0x00B0 Active Token word 12 R 0x00000000
0x00B4 Active Token word 13 R 0x00000000
0x00B8 Active Token word 14 R 0x00000000
0x00BC Active Token word 15 R 0x00000000
0x00C0 Next token word0 / Active word16 R 0x00000000
0x00C4 Next token word1 / Active word17 R 0x00000000
0x00C8 Next token word2 / Active word18 R 0x00000000
0x00CC Next token word3 / Active word19 R 0x00000000
0x00D0 Next token word4 / Active word20 R 0x00000000
0x00D4 Next token word5 / Active word21 R 0x00000000
0x00D8 Next token word6 / Active word22 R 0x00000000
0x00DC Next token word7 / Active word23 R 0x00000000
0x00E0 Next token word8 / Active word24 R 0x00000000
0x00E4 Next token word9 / Active word25 R 0x00000000
0x00E8 Next token word10 / Active word26 R 0x00000000
0x00EC Next token word11 / Active word27 R 0x00000000
0x00F0 Next token word12 / Active word28 R 0x00000000
0x00F4 Next token word13 / Active word29 R 0x00000000
0x00F8 Next token word14 / Active word30 R 0x00000000
0x00FC Next token word15 / Active word31 R 0x00000000
0x0100 Result token word0 R 0x00000000
0x0104 Result token word1 R 0x00000000
0x0108 Result token word2 R 0x00000000
0x010C Result token word3 R 0x00000000
0x0110 Result token word4 R 0x00000000
0x0114 Result token word5 R 0x00000000
0x0118 Result token word6 R 0x00000000
0x011C Result token word7 R 0x00000000
0x0120- reserved R 0x00000000
0x013C
CONTEXT
0x0140 Next context CMD0 R 0x00000000
0x0144 Next context CMD1 R 0x00000000
0x0148 Next general-purpose 0 R 0x00000000
0x014C Next general-purpose 1 R 0x00000000
0x0150 Next IV0 R 0x00000000
0x0154 Next IV1 R 0x00000000
0x0600 Sequence number large mask0 R 0x00000000 Current Large mask [31:0]
0x0604 Sequence number large mask1 R 0x00000000
0x0608 Sequence number large mask2 R 0x00000000
0x060C Sequence number large mask3 R 0x00000000
0x0610 Sequence number large mask4 R 0x00000000
0x0614 Sequence number large mask5 R 0x00000000
0x0618 Sequence number large mask6 R 0x00000000
0x061C Sequence number large mask7 R 0x00000000
0x0620 Sequence number large mask8 R 0x00000000
0x0624 Sequence number large mask9 R 0x00000000
0x0628 Sequence number large mask10 R 0x00000000
0x062C Sequence number large mask11 R 0x00000000
0x0630 Sequence number large mask12 R 0x00000000
0x0634 Sequence number large mask13 R 0x00000000
0x0638 Sequence number large mask14 R 0x00000000
0x063C Sequence number large mask15 R 0x00000000
0x0640 Sequence number large mask16 R 0x00000000
0x0644 Sequence number large mask17 R 0x00000000
0x0648 Sequence number large mask18 R 0x00000000
0x064C Sequence number large mask19 R 0x00000000
0x0650 Sequence number large mask20 R 0x00000000
0x0654 Sequence number large mask21 R 0x00000000
0x0658 Sequence number large mask22 R 0x00000000
0x065C Sequence number large mask23 R 0x00000000
0x0660 Sequence number large mask24 R 0x00000000
0x0664 Sequence number large mask25 R 0x00000000
0x0668 Sequence number large mask26 R 0x00000000
0x066C Sequence number large mask27 R 0x00000000
0x0670 Sequence number large mask28 R 0x00000000
0x0674 Sequence number large mask29 R 0x00000000
0x0678 Sequence number large mask30 R 0x00000000
0x067C Sequence number large mask31 R 0x00000000 Current Large mask [1023:992]
0x0680- Reserved R 0x00000000
0x07FC
Packets to be processed
Time-out counter enable
Result context
Active tokens
Context fetch
Debug mode
Busy
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0
context_done_if_ena
fetch_ovs_chk_dis
prep_ovs_chk_dis
seq_append_ena
adv_fifo_mode
Reserved
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
hash-only / null
AES-CTR/ICM
HMAC SHA-2
HMAC SHA-1
hash-decrypt
hash-encrypt
decrypt-hash
encrypt-hash
basic SHA-2
basic SHA-1
encrypt-only
GCM-HASH
HMAC MD5
3DES-CBC
3DES-OFB
3DES-ECB
3DES-CFB
Kasumi-F9
basic MD5
DES-CBC
DES-OFB
AES-CBC
DES-ECB
AES-OFB
DES-CFB
AES-ECB
AES-CFB
AES-XTS
Wireless
SHA-3
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
external BC0
ChaCha20
Reserved
Poly1305
SM4
SM3
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 - 0 1 0 1
# Available Tokens
Error Recovery
Result Context
Active Context
Next Context
CurrentState
Reserved
Reserved
Reserved
E14
E13
E12
E11
E10
E9
E8
E7
E6
E5
E4
E3
E2
E1
E0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
[23] Reserved
[27:24] (Active) Packet processing current state reflects the current state of the packet processing for the
Packet active packet. It is out of the scope of this document to provide the detailed state encoding.
Processing This field is read-only and should be treated as ‘reserved’.
Current State
[31:28] Next Packet Next packet current state reflects the current state of the next packet. It is out of the scope of
Current State this document to provide the detailed state encoding. This field is read-only and should be
treated as ‘reserved’.
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
The background for this feature lies in a scenario where the EIP-96 is used in a look-aside environment
where the source and destination packet are overlapping (thus using a shared memory location). If the EIP-
96 is inserting data in front of or in the packet header it can happen that this result data byte stream is
larger and available in the output buffer sooner than it reads the last packet bytes from the input packet.
Therefore, if a system uses in-place transforms it is suggested to program this field to a value equal to the
maximum number of inserted header bytes for the required protocols. For the typical use cases, the
maximum is 64 bytes (40 IPv6 tunnel header bytes and 24 ESP header bytes) which requires 0x08 to be
programmed to the Hold output data field).
Note: The reset value of this register depends on the EIP-96 configuration. For the non-FIFO
configuration the value is 0xFE080207. For the FIFO (-f) configuration the value is 0x00000000.
Note: The reset value of this register depends on the EIP-96 configuration. For the non–FIFO
configuration the value is 0xF88008FF. For the FIFO (-f) configuration with small buffers the value
is 0xFE40044F.
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
The background for this feature lies in a scenario where the EIP-96 is used in a look-aside environment
where the source and destination packet are overlapping (thus using a shared memory location). If the EIP-
96 is inserting data in front of or in the packet header it can happen that this result data byte stream is
larger and sooner available in the output buffer than it reads the last packet bytes from the input packet.
Therefore, if a system uses in-place transforms it is suggested to program this field to a value equal to the
maximum number of inserted header bytes for the required protocols. For the typical use cases, the
maximum is 64 bytes (40 IPv6 tunnel header bytes and 24 ESP header bytes) which requires 0x08 to be
programmed to the ‘Hold output data’-field).
Attention: These register descriptions are only valid for an internal PRNG subsystem. In case of an
external PRNG subsystem, these registers are “Reserved”.
Result Ready
Busy
Reserved
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
The difference between the Busy bit and Result Ready bit is that the Result Ready bit is mode-dependent and
only set in Manual mode (Auto bit is ‘0’), where the Busy bit is mode independent.
Enable
Auto
Reserved
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Note: It is recommended that an external RNG be used to generate the 64-bit random number used to
'seed' the PRNG Seed Low and High registers.
Attention: The Key registers should not contain all zeroes because the LFSR will not get out of this state
and an all-zero key is considered a “weak key” for DES.
Attention: The LFSR registers should not contain all zeroes because the LFSR will not get out of this state
and therefore submit a constant all-zero value into the PRNG.
reserved polarity_control
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1
reserved type_control
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1
reserved enable_control
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
reserved raw_status
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1
reserved enable_set
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
reserved enabled_status
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1
reserved ack
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
reserved enable_clear
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
reserved nr_of_inputs
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0
0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 0 1 1 0 1 1 0 1 1 0 0 1 0 0 1
Reserved
Reserved
Reserved
0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0
Reserved
Reserved
Reserved
error out error out error out error out
0 1 0 1 0 1 1 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0
Reserved
Reserved
Reserved
error out error out error out error out
0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 0 0 1 0 1 1 1 0 1 0 1 0 1 1 0 0 0
Reserved
Reserved
Reserved
error out error out error out error out
0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 1 0 1 1 0 0 0 0 0
InvIPErrEn
ProtoIPv6
ProtoIPv4
Reserved
Reserved
InvalidNHCLE InvalidIPCLE
1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 0 0 1 0 1 0 0 1 0 0 0 0 0 1 0 0
SHA2-384/512
SHA2-224/256
1024-bit mask
SHA-1-Speed
ARC4-Speed
384-bit mask
256-bit mask
XCBC-MAC
DES-Speed
AES-Speed
ChaCha20
AES-XTS
Poly1305
Wireless
DES-FB
AES-FB
GHASH
SHA-3
SHA-1
ARC4
MD5
SM3
SM4
DES
AES
reserved
- 1 0 1 1 - 1 1 1 1 1 1 - - 0 1 1 1 1 1 1 1 - - - - - - 0 0 0 0
EIP_NUMBER_COMPL
MAJOR_VERSION
MINOR_VERSION
PATCH_LEVEL
EIP_NUMBER
Reserved
0 0 0 0 0 1 0 0 ? ? ? ? ? ? ? ? 1 0 0 1 1 1 1 1 0 1 1 0 0 0 0 0
D Protocol Compliance
D.1 Introduction
This appendix lists the EIP-96 functionality used to perform packet processing for officially supported
protocols. For each function the mapping to RFC and other protocol specifications is given.
D.2 Disclaimer
Although the EIP-96 contains functional modules which can be used to perform different protocol
operations, this appendix lists the officially supported and verified set of protocols. The verification is
focused on the usage of provided token examples.
Functionality of the EIP-96 used to process protocols other than listed, is not fully verified.
D.3 IP header
The EIP-96 contains instructions to modify/update fields in IPv4 or IPv6 headers. The supported operations
are listed in Table 43 and Table 44.
Table 43 Supported IPv4 functionality
D.5 AH
The EIP-96 provides hardware acceleration for AH processing based on the supported functionality in Table
46.
D.6 SSL
The EIP-96 provides hardware acceleration for SSL processing based on supported functionality in Table 47.
Attention: SSL is by default available in all configurations; The cipher suites with ARC4 are only available
in the EIP-96*s configurations that include the ARC4 algorithm.
D.7 TLS
The EIP-96 provides hardware acceleration for TLS processing (versions 1.0, 1.1, 1.2 and 1.3) based on
supported functionality Table 48.
Attention: TLS is by default available in all configurations; The cipher suites with ARC4 are only available
in the EIP-96*s configurations that include the ARC4 algorithm. Likewise, cipher suites with
Poly1305 and ChaCha20 are only available in EIP-96*b configurations.
D.8 DTLS
The EIP-96 provides hardware acceleration for DTLS processing based on supported functionality in Table
49.
Attention: DTLS is by default available in all configurations but cipher suites with Poly1305 and ChaCha20
are only available in EIP-96*b configurations.
D.9 SRTP/SRTCP
The EIP-96 provides basic hardware acceleration for SRTP/SRTCP processing based on the supported
functionality in Table 50.
Table 50 Supported SRTP/SRTCP functionality
D.10 MACsec
The EIP-96 provides hardware acceleration for MACsec processing based on the supported functionality in
Table 51.
Table 51 Supported MACsec functionality
F References
F.1 Conventions Used in this Manual
F.1.1 Acronyms
AAD Additional Authenticated Data
AES Advanced Encryption Standard
AH Authentication Header, an IPsec mode that authenticates the entire IP packet
ARC4 “Alleged RC4”, compatible with RC4
anti-replay An IPsec security feature that prevents a third party from eavesdropping on an IPsec
conversation.
BIST Built-In Self Test
black data Data that is present on the public domain, it is typically encrypted data
CBC Cipher Block Chaining
CFB Cipher Feed Back
Context Record Data structure used by EIP-96 containing all parameters required by the EIP-96 for performing a
data plane packet transformation.
CTR Counter mode of operation for block cipher algorithms (as in AES-CTR)
DES Data Encryption Standard
DF Don’t Fragment, this is a bit in the IPv4 header
DMA Direct Memory Access
DRBG Deterministic Random Bit Generator
DST Destination
dword A 32-bit data word
ECB Electronic Code Book
ECC Elliptic Curve Cryptography
ECN Explicit Congestion Notification. Notification of congestion on the route in one or more nodes
when a packet travels on a network from host A to host B.
EIP EmbeddedIPTM
ESP Encapsulated Security Payload, an IPsec mode that crypts the data after the IPsec header.
HMAC Hash Message Authentication Code. A special kind of keyed hash. See [RFC2104].
HOP A node in an IPv6 network
HSM Hardware Security Module
IANA Internet Assigned Number Authority
ICM Integer counter mode (as in AES-ICM)
ICMP Internet Control Message Protocol
ICV Integrity Check Value
IHL Internet Header Length
IKE Internet Key Exchange
inbound data Packet data (typically encrypted) entering the EIP-96 from the public domain. This data is
typically decrypted by the EIP-96.
IP Internet Protocol
IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
IPsec IP Security Protocol, supports two modes ESP and AH
LSb/LSbs Least Significant Bit (plural: LSbs)
LSB/LSBs Least Significant Byte (plural: LSBs)
ITCM Instruction Tightly Coupled Memory
IV Initialization Vector
LNME Long Number Multiplier / Exponentiator
MSb/MSbs Most Significant Bit (plural: MSbs)
This document may contain timing diagrams. Figure 68 shows the key to the components used in these
diagrams. Any variations are clearly labeled and specifically stated when they occur.
Clock
HIGH to LOW
HIGH/LOW to HIGH
Bus stable
Bus unstable
Bus change
F.2 References
[IPsec Securing VPNs]
“IPsec Securing VPNs”, Carlton R. Davis, 2001,
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.txt
[RFC791]
“Internet Protocol”, Internet architects, September 1981,
https://www.ietf.org/rfc/rfc791.txt
[RFC1321]
“MD5 Digest Algorithm”, R. Rivest, April 1992,
https://www.ietf.org/rfc/rfc1321.txt
[RFC1828]
“IP Authentication using Keyed MD5”, P. Metzger, W. Simpson, August 1995,
https://www.ietf.org/rfc/rfc1828.txt
[RFC1829]
“The ESP DES-CBC Transform”, P. Karn, P. Metzger, W. Simpson, August 1995,
https://www.ietf.org/rfc/rfc1829.txt
[RFC2104]
“HMAC: Keyed-Hashing for Message Authentication”,
H. Krawczyk, M. Bellare and R. Canetti, February 1997,
https://www.ietf.org/rfc/rfc2104.txt
[RFC2246]
“The TLS Protocol Version 1.0”, January 1999,
https://www.ietf.org/rfc/rfc2246.txt
[RFC2401]
“Security Architecture for the Internet Protocol”, November 1998,
https://www.ietf.org/rfc/rfc2401.txt
[RFC2402]
“IP Authentication Header”, November 1998,
https://www.ietf.org/rfc/rfc2402.txt
[RFC2403]
“The Use of HMAC-MD5-96 within ESP and AH” C. Madson and R. Glenn, November 1998,
https://www.ietf.org/rfc/rfc2403.txt
[RFC2404]
“The Use of HMAC-SHA-1-96 within ESP and AH”,
C. Madson and R. Glenn, November 1998,
https://www.ietf.org/rfc/rfc2404.txt
[RFC2405]
“The ESP DES-CBC Cipher Algorithm With Explicit IV”,
C. Madson and N. Doraswamy, November 1998,
https://www.ietf.org/rfc/rfc2405.txt
[RFC2406]
“IP Encapsulating Security Payload (ESP)”, November 1998,
https://www.ietf.org/rfc/rfc2406.txt
[RFC2410]
“The NULL Encryption Algorithm and Its Use With IPsec” R. Glenn and S. Kent, November 1998,
https://www.ietf.org/rfc/rfc2410.txt
[RFC2411]
“IP Security, Document Roadmap”, November 1998,
https://www.ietf.org/rfc/rfc2411.txt
[RFC2451]
“The ESP CBC-Mode Cipher Algorithms”, R. Pereira and R. Adams, November 1998,
https://www.ietf.org/rfc/rfc2451.txt
[RFC2460]
“Internet Protocol, Version 6 (IPv6) Specification", December 1998
https://www.ietf.org/rfc/rfc2460.txt
[RFC3168]
“The Addition of Explicit Congestion Notification (ECN) to IP”, September 2001,
https://www.ietf.org/rfc/rfc3168.txt
[RFC3174]
“US Secure Hash Algorithm 1 (SHA1)”, September 2001,
https://www.ietf.org/rfc/rfc3174.txt
[RFC3260]
“New Terminology and Clarifications for Diffserv”, April 2002,
https://www.ietf.org/rfc/rfc3260.txt
[RFC3546]
“Transport Layer Security (TLS) Extensions”,
S. Blake-Wilson, M. Nystrom, D. Hopwood, J. Mikkelsen and T. Wright, June 2003,
https://www.ietf.org/rfc/rfc3546.txt
[RFC3566]
“The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec”, S. Frankel, H. Herbert, September 2003,
https://www.ietf.org/rfc/rfc3566.txt
[RFC3602]
“The AES-CBC Cipher Algorithm and Its Use with IPsec”,
S. Frankel, R. Glenn, S. Kelly, September 2003,
https://www.ietf.org/rfc/rfc3602.txt
[RFC3610]
“Counter with CBC-MAC (CCM)”, September 2003,
https://www.ietf.org/rfc/rfc3610.txt
[RFC3686]
“Using Advanced Encryption Standard (AES) Counter Mode With IPsec
Encapsulating Security Payload (ESP)”, R. Housley, January 2004,
https://www.ietf.org/rfc/rfc3686.txt
[RFC3711]
"The Secure Real-time Transport Protocol (SRTP)", M. Baugher et al. March 2004,
https://www.ietf.org/rfc/rfc3711.txt
[RFC4106]
“The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)”, J. Viega June 2005,
https://www.ietf.org/rfc/rfc4106.txt
[RFC4301]
“Security Architecture for the Internet Protocol”, S. Kent, K. Seo, December 2005,
https://www.ietf.org/rfc/rfc4301.txt
[RFC4302]
“IP Authentication Header”, December 2005
https://www.ietf.org/rfc/rfc4302.txt
[RFC4303]
“IP Encapsulating Security Payload (ESP)”, (Obsoletes RFC2406), S. Kent, December 2005,
https://www.ietf.org/rfc/rfc4303.txt
[RFC4304]
“Extended Sequence Number (ESN) - Addendum to IPsec Domain of Interpretation (DOI) for Internet Security
Association and Key Management Protocol (ISAKMP), S. Kent, December 2005,
https://www.ietf.org/rfc/rfc4304.txt
[RFC4305]
“Cryptographic Algorithm Implementation Requirements for EncapsulatingSecurity Payload (ESP) and
Authentication Header (AH)”, D. Eastlake, December 2005, (Obsoletes RFC2402, RFC2406 Errata, obsoleted by
RFC4835),
https://www.ietf.org/rfc/rfc4305.txt
[RFC4308]
“Cryptographic Suites for IPsec”, P. Hoffman, December 2005,
https://www.ietf.org/rfc/rfc4308.txt
[RFC4309]
“Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)”, R.
Housley D. McGrew, J. Viega, May 2006,
https://www.ietf.org/rfc/rfc4309.txt
[RFC4346]
“The Transport Layer Security (TLS) Protocol, Version 1.1”, T. Dierks, E. Rescorla, April 2006, (Obsoletes RFC2246,
Updated by RFC4366, RFC4680, RFC4681)
https://www.ietf.org/rfc/rfc4346.txt
[RFC4347]
“Datagram Transport Layer Security (DTLS)”, E. Rescorla, N. Modadugu, April 2006,
https://www.ietf.org/rfc/rfc4347.txt
[RFC4494]
“The AES-CMAC-96 Algorithm and Its Use with IPsec”, June 2006,
https://www.ietf.org/rfc/rfc4494.txt
[RFC4543]
“The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH”, D. McGreq, May 2006,
https://www.ietf.org/rfc/rfc4543.txt
[RFC4634]
“US Secure Hash Algorithms (SHA and HMAC-SHA)”, D. Eastlake 3rd, T Hansen, July 2006
https://www.ietf.org/rfc/rfc4634.txt
[RFC4835]
“Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and
Authentication Header (AH)”, V. Manral, April 2007, (Obsoletes RFC4305),
https://www.ietf.org/rfc/rfc4835.txt
[RFC4868]
“HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec”, S. Kelly, Aruba Networks, S. Frankel, May 2007
https://www.ietf.org/rfc/rfc4868.txt
[RFC4869]
“Suite B Cryptographic Suites for IPsec”, L. Law, J. Solinas, May 2007
https://www.ietf.org/rfc/rfc4869.txt
[RFC5116]
“An Interface and Algorithms for Authenticated Encryption”, January 2008
https://www.ietf.org/rfc/rfc5116.txt
[RFC5246]
“The Transport Layer Security (TLS) Protocol Version 1.2”, August 2008
https://www.ietf.org/rfc/rfc5246.txt
[RFC5288]
“AES Galois Counter Mode (GCM) Cipher Suites for TLS", August 2008
https://www.ietf.org/rfc/rfc5288.txt
[RFC5289]
“TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)", August 2008
https://www.ietf.org/rfc/rfc5289.txt
[RFC6040]
“Tunnelling of Explicit Congestion Notification”, November 2010,
https://www.ietf.org/rfc/rfc6040.txt
[RFC6071]
“IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap”, Februari 2011
https://www.ietf.org/rfc/rfc6071.txt
[RFC6101]
“The Secure Sockets Layer (SSL) Protocol Version 3.0”, August 2011
https://www.ietf.org/rfc/rfc6101.txt
[RFC6188]
“The Use of AES-192 and AES-256 in Secure RTP”, March 2011
https://www.ietf.org/rfc/rfc6188.txt
[RFC6234]
“US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)”, August 2011
https://www.ietf.org/rfc/rfc6234.txt
[RFC6347]
“Datagram Transport Layer Security Version 1.2", January 2012
https://www.ietf.org/rfc/rfc6347.txt
[RFC6379]
“Suite B Cryptographic Suites for IPsec", October 2011
https://www.ietf.org/rfc/rfc6379.txt
[RFC6655]
“AES-CCM Cipher Suites for Transport Layer Security (TLS)", July 2012
https://www.ietf.org/rfc/rfc6655.txt
[RFC7321]
“Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload
(ESP) and Authentication Header (AH)”, August 2014, (Obsoletes RFC4835),
https://www.ietf.org/rfc/rfc7321.txt
[RFC7539]
“ChaCha20 and Poly1305 for IETF Protocols", May 2015
https://www.ietf.org/rfc/rfc7539.txt
[RFC7568]
“Deprecating Secure Sockets Layer Version 3.0", June 2015
https://www.ietf.org/rfc/rfc7568.txt
[RFC7634]
“ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec", August 2015
https://www.ietf.org/rfc/rfc7634.txt
[RFC7714]
“AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)", December 2015
https://www.ietf.org/rfc/rfc7714.txt
[RFC7905]
“ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)", June 2016
https://www.ietf.org/rfc/rfc7905.txt
[RFC8200]
“Internet Protocol, Version 6 (IPv6) Specification", July 2017
https://www.ietf.org/rfc/rfc8221.txt
[RFC8221]
“Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload
(ESP) and Authentication Header (AH)", October 2017
https://www.ietf.org/rfc/rfc8221.txt
[RFC8439]
“ChaCha20 and Poly1305 for IETF Protocols", June 2018
https://www.ietf.org/rfc/rfc8439.txt
[RFC8446]
“The Transport Layer Security (TLS) Protocol Version 1.3”, August 2018
https://www.ietf.org/rfc/rfc8446.txt
[SM3]
Original Chinese version of the SM3 specification.
“SM3 Cryptographic Hash Algorithm”, Chinese Commercial Cryptography Administration Office, December 2010
http://www.sca.gov.cn/sca/xwdt/2010-12/17/1002389/files/302a3ada057c4a73830536d03e683110.pdf
[GM/T-0004-2012]
Translated version of Chinese specification.
“SM3 Cryptographic Hash Algorithm”, Chinese Commercial Cryptography Administration Office, July 2018
http://www.gmbz.org.cn/upload/2018-07-24/1532401392982079739.pdf
[draft-sca-cfrg-sm3-02]
“The SM3 Cryptographic Hash Function”, January 2018
https://tools.ietf.org/html/draft-sca-cfrg-sm3-02
[SM4]
Original Chinese version of the SM4 specification.
http://www.gmbz.org.cn/main/viewfile/20180108015408199368.html
[SM4-eng]
Translated version of Chinese specification.
“SMS4 Encryption Algorithm for Wireless Networks“, Cryptology ePrint Archive, May 2008
https://eprint.iacr.org/2008/329.pdf
[draft-ribose-cfrg-sm4-10]
“The SM4 Blockcipher Algorithm and Its Modes of Operation”, April 2018
https://tools.ietf.org/html/draft-ribose-cfrg-sm4-10
[sms4-diffie]
“SM4 Encryption Algorithm for Wireless Networks”, May 2008
https://eprint.iacr.org/2008/329.pdf
[GM/T 022-2014]
IPSec VPN specification, China State Cryptography Administration, Februari 2014
[draft-sca-curdle-tls-sm34-00]
“SM3 and SM4 Cipher Suites for TLS”, April 2018
https://tools.ietf.org/html/draft-sca-curdle-tls-sm34-00
[FIPS Pub. 46-3]
“Data Encryption Standard”, NIST, October 1999, Withdrawn on May 19, 2005
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
[FIPS Pub. 81]
“DES Modes of Operation”, NIST, December 1980,
http://csrc.nist.gov/publications/fips/fips81/fips81.htm
[FIPS Pub. 180-2]
“Secure Hash Standard”, NIST, Per October 2008 superseded by: FIPS Pub. 180-3
http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf
[FIPS Pub. 180-3]
“Secure Hash Standard”, NIST,
http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf
[FIPS Pub. 180-4]
“Secure Hash Standard”, NIST,
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
[FIPS Pub. 140-2]
“Security Requirements for Cryptographic Modules”, NIST,
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
[FIPS Pub. 197]
“Announcing the ADVANCED ENCRYPTION STANDARD (AES) “, NIST, November 2001
http://csrc.nist.gov/publications/fips/fips-197/fips-197.pdf
[FIPS Pub. 202]
“SHA-3 standard: Permutation-Based Hash and Extendable-Output Functions”, NIST, August 2015
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
[Netscape draft302]
“The SSL Protocol Version 3.0”, A. Freier, P. Karlton, P. Kocher, Nov 1998,
http://wp.netscape.com/eng/ssl3/draft302.txt
[Internet Draft IETF]
“Integer Counter Mode”, D. McGrew. October, 2002,
www.mindspring.com/~dmcgrew/draft-mcgrew-saag-icm-01.txt
[ARC4]
"A Stream Cipher Encryption Algorithm arcfour", K. Kaukonen, R. Thayer, 14 July 1999,
draft-kaukonen-cipher-arcfour-03.txt
[GCM]
“The Galois/Counter Mode of Operation (GCM)”, May 31, 2005
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
[NIST Special Publication 800-67 Version 1.1]
“Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher”,
http://csrc.nist.gov/publications/PubsSPs.html#800-67
[IEEE Std 1619™-2007]
The XTS-AES Tweakable Block Cipher, IEEE Standard for Cryptographic Protection of Data on Block-Oriented
Storage Devices
[SNOW-3G]
“Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 and UIA2. Document 2: SNOW 3G
Specification” 6th September 2006, Version 1.1, ETSI/SAGE
[EEA3-EIA3]
“Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 and 128-EIA3.
Document 1: 128-EEA3 and 128-EIA3 Specification”, 1st July 2011, Version 1.6, ETSI/SAGE
http://www.gsmworld.com/documents/EEA3_EIA3_specification_v1_6.pdf
G Deliverables
The EIP-96 is shipped in a package that contains the following:
• Verilog HDL,
• Fast Verilog test bench including testvector set with (human) readable test data,
• Test scripts, including tests for all supported algorithms and protocols, also based on FIPS and NIST
example vectors,
• Verification check list, a comprehensive report of all tests executed by Rambus,
• Compile and simulation scripts,
• Sample synthesis scripts, including interface and clocking constraints,
• Full programming and user support documentation.
(End of Document)