If an IP core is optimized by locking down the physical layout, this reduces the flexibility of placement for the remainder of the design which can worsen the overall timing closure problems. Remember, the very essence of an encryption algorithm is randomness. So the combination of high clock speed, high complexity, and a "random" interconnect pattern is a recipe for difficulties in meeting timing closures.

Power consumption in FPGAs has become a major criterion for users in recent years because it affects the overall system cooling regime and costs, as well as raising concerns on reliability. FPGA vendors have successfully adopted design techniques to minimize quiescent power in larger devices (see This Web Page from Altera or This Web Page from Xilinx, for example). Fortuitously, one consequence of Moore's Law is that it has driven operating voltages down to 1 volt, but dynamic power will always be proportional to clock frequency, so a lower clock is better.

Verification is the number one headache in system design. AES was standardized by NIST with a number of different operating modes. NIST also provides a large number of 'known answer' test patterns and a specification for tests to be used in implementation validation. For validation, the test vectors are generated by a NIST approved test lab and are not known in advance. You can save quite a lot of work by selecting a vendor who offers a comprehensive test bench implementing all AESAVS tests, ideally with additional vectors as specified in FIPS197 and Special Publication SP800-38A.

Commercial considerations
These are best illustrated by example. Factors to consider include core cost, silicon cost, core support and modification costs, license restrictions, and the learning curve.

For example, Algotronix offers a range of AES cores, including a flagship 10 Gbps AES-GCM design. The core is very competitively priced, and "ticks all the boxes" in terms of being a compact design that delivers 10 Gbps from only a 156 MHz clock. So far, so good...

The next cost to consider is the silicon. Unlike an ASIC, efficiency of implementation has an impact on the total cost. For most systems it is valid to assume that there will be a need for an FPGA for interfacing or custom logic, and that the AES core can co-exist in this device. The Algotronix G3 core will fit into a Spartan or Virtex series FPGA from Xilinx or a Cyclone or Stratix device from Altera.

You should select a core that can be targeted at multiple FPGA families or vendors so that you have more flexibility to reduce silicon costs. The 100+ list price for Xilinx Spartan XC3S2000-4FG456C is $45.90. The resources for the core logic (32 bit datapath, ECB, Encrypt Only, 128 bit key, 'Offline' Hardware Key Expansion, 'Push Button' flow) provide a throughput of over 350 Mbps and require 1.3% of the FPGA. Therefore the cost of the silicon real-estate occupied by the core is only $0.57.

IP vendors typically provide customers with either HDL or netlist versions of their cores. It is not practical to trace how many FPGAs have been shipped with the IP, so expect no royalty payments. One "future proof" consideration is that at least one vendor allows the IP to be moved to ASIC at no additional cost. This provides an easy cost reduction path for successful products, or an easy way to prototype an ASIC solution.

3. Simplified decision flow.
(Click this image to view a larger, more detailed version)

To cover the range of options and modes supported in AES, customers can license and edit HDL code, but be aware that this is often at a steep price premium over a netlist. In addition to on-line support (ranging from 30 days to a year), most vendors offer a customization service where the exact functionality can be set.

The advantage of licensing HDL code becomes clear in two circumstances. The first example is where marketing change the specification late into the project. (What, this never happens in your company? The other advantage relates to learning curve and reuse issues. Engineers need to understand how things work, and it is much easier reading an HDL source than a netlist.

HDL code allows engineers to play out "what if" scenarios to arrive at the optimum design. For example, users can change VHDL generic parameters and recompile to evaluate trade-offs such as data path widths. They will also be expected to verify the core and create test vectors for the final product.

The final task (and the least exciting) is to document how the design works. To put the cost of the learning curve into perspective, assume that the annual cost of salary, benefits and tool costs for an engineer runs at $110k. Our experience at Algotronix is that customers are actively working within a day on "plain vanilla" cores, but we also offer a safety net for more demanding designs with consultancy options. Better still, customers can sign up to get a free-of-charge evaluation copy to convince them that it is the right core.

One special consideration for encryption IP relates to confidence that the security has not been compromised. A concern in a high security design is to ensure that so called "back door" features have not been maliciously included. It is important, therefore, to select a reputable vendor.

Purchasing untraceable source code without provenance or whose authors are anonymous should be avoided. It greatly reduces the risk that criminal hackers or a hostile intelligence agency has 'contributed' malware to an open source project. It is also risky to purchase encryption IP from a vendor in a country with a less-developed legal framework or one which has political disagreements with your own. Owning source code gives users the option of analyzing the design and archiving it.

Finally, a very important consideration is reuse. In reality, most customers will continue to include the security systems they develop in future products, because reuse of blocks has doubled over the last decade (see This Web Page for more details). The AES standards will not change, so choosing a vendor who offers multiple use or low cost extensions to the license can be a shrewd move. Larger companies will also look for either a site-wide license or one covering their whole company division so that they have the flexibility to operate efficiently.

Summary
A number of technical and commercial aspects have been discussed in this article, but there is no substitute for a full evaluation. The author hopes that this paper has helped to highlight some of the considerations when selecting an AES core.

Paul Dillien has worked in the semiconductor industry for over 30 years, including various Sales and Marketing roles working for Xilinx, Plessey and Ferranti.

More recently, Paul founded the high-technology marketing consultancy company High Tech Marketing. Paul can be contacted at paul@high-tech-marketing.co.uk.