Many applications involve securing data using high-performance cryptographic algorithms, such as encryption/decryption algorithms usually in conjunction with message authentication. One common cryptographic encryption/decryption algorithm is a symmetric key block cipher algorithm adopted by the Department of Commerce, National Institute of Standards and Technology (NIST) as its Advanced Encryption Standard (AES). (See detailed specification in “Federal Information Processing Standards Publication 197” (FIPS 197), of Nov. 26, 2001, incorporated herein by reference in its entirety, hereinafter referred to as the AES specification.) Older FIPS-approved symmetric block ciphers include the Data Encryption Standard (DES) and triple-DES.
Several modes may be used to encrypt and/or authenticate data. Some of these modes are described in the NIST Special Publication (SP) 800-38A, of 2001, entitled “Recommendation for Block Cipher Modes of Operation,” and incorporated herein by reference in its entirety. Yet another mode of operation, called Galois/Counter Mode (GCM), is a block cipher mode of operation that uses universal hashing over a binary Galois field to provide authenticated encryption. GCM takes a plaintext bit string as an input and combines it with an initialization vector (IV) to produce an encrypted bit string (i.e., ciphertext) and an authentication tag, where the ciphertext is the same length as the original plaintext. A variant of GCM used to generate a Message Authentication Code for unencrypted data is called GMAC. A description of GCM and GMAC can be found in NIST SP 800-38D, of November 2007, entitled “Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC,” incorporated herein by reference in its entirety.
A further additional mode of operation, XTS, stands for XEX-based Tweaked codebook mode with ciphertext Stealing, where “XEX” is from “XOR-Encrypt-XOR”. In XTS, a tweakable block cipher E operates on a message M, a key K, and two tweak values i and j, to produce a ciphertext C. The tweak values may operate like an IV but may have different security properties: an IV is generally random, whereas a tweak doesn't have to be. An encryption key provides security against an adversary recovering the plaintext and must remain secure, whereas a tweak aims to provide variability of the ciphertext and the tweakable block cipher remains secure even if the tweak values are known. For XTS-AES, for example, data units are divided into 128-bit blocks and each data unit is assigned two tweak values that are non-negative integers. The tweak values may be assigned consecutively, starting from an arbitrary non-negative integer. A description of XTS-AES can be found in NIST SP 800-38E, entitled “Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices,” of January 2010, incorporated herein by reference in its entirety.
Many high-speed hardware implementations of cryptographic algorithms such as the algorithms discussed above use pipelining and/or unrolling to speed up cryptographic processing. But, while pipelining and/or unrolling certain cryptographic algorithms may make for an easier-to-route, higher-performance hardware core, these techniques often make the interface timing very restrictive. Also, the input and output words of such implementations typically need to interface to the hardware core within a fixed time. This inflexibility may make the hardware core very difficult to use, and in some cases, result in a slower and/or larger system than if discrete hardware cores had been used for individual encryption processes. Another limitation of many high-speed hardware implementations of cryptographic algorithms is their limited capability to handle data incoming from multiple channels. Such a capability is increasingly important in modern transmission systems that carry data at a high rate and in parallel. Yet another limitation of many high-speed hardware implementations of cryptographic algorithms is the lack of scalability of these implementations as higher throughputs, different speed grades, and/or different target devices are required.