Partitioned security processor architecture on FPGA platform

Partitioned security processor architecture on FPGA platform

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for $120.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Computers & Digital Techniques — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Internet protocol security (IPSec), secure sockets layer (SSL)/transport layer security (TLS) and other security protocols necessitate high throughput hardware implementation of cryptographic functions. In recent literature, cryptographic functions implemented in software, application specific integrated circuit (ASIC) and field programmable gate array (FPGA). They are not necessarily optimized for throughput. Due to the various side-channel based attacks on cache and memory, and various malware based exfiltration of security keys and other sensitive information, cryptographic enclave processors are implemented which isolates the cryptographically sensitive information like keys. We propose a partitioned enclave architecture targeting IPSec, TLS and SSL where the partitioned area ensures that the processor data-path is completely isolated from the secret-key memory. The security processor consists of a Trivium random number generator, Rivest–Shamir–Adleman (RSA), advanced encryption standard (AES) and KECCAK cryptos. We implement three different optimized KECCAK architectures. The processing element (PE) handles all communication interfaces, data paths, and control hazards of network security processor. The memory of KECCAK and AES communication is done via a direct memory access controller to reduce the PE overhead. The whole system is demonstrated by FPGA implementation using Vivado 2015.2 on Artix-7 (XC7A100T, CSG324). The performances of the implemented KECCAKs are better in terms of security, throughput and resource than the existing literature.


    1. 1)
      • 1. Gullasch, D., Bangerter, E., Krenn, S.: ‘Cache games-bringing access-based cache attacks on AES to practice’. Workshop COSADE, Washington, DC, February 2011, pp. 215221.
    2. 2)
      • 2. Chen, X., Dick, R.P., Choudhary, A.: ‘Operating system controlled processor-memory bus encryption’. Design, Automation and Test in Europe, Munich, Germany, March 2008, pp. 11541159.
    3. 3)
      • 3. Wang, Z., Lee, R.B.: ‘A novel cache architecture with enhanced performance and security’. 41st IEEE/ACM Int. Symp. on Microarchitecture, November 2008, pp. 8393.
    4. 4)
      • 4. Brickell, E., Graunke, G., Neve, M., et al: ‘Software mitigations to hedge AES against cache-based software side channel vulnerabilities’, 2006.
    5. 5)
      • 5. Broadwell, P., Harren, M., Sastry, N.: ‘SCRASH: a system for generating secure crash information’. Proc. 12th Conf. on USENIX Security Symp. (SSYM'03), USENIX Association, Berkeley, CA, USA, 2003, vol. 12, p. 19.
    6. 6)
      • 6. Müller, T., Freiling, F.C., Dewald, A.: ‘Tresor runs encryption securely outside ram’. Proc. 20th USENIX Conf. on Security (SEC'11), USENIX Association, Berkeley, CA, USA, 2011, pp. 1717.
    7. 7)
      • 7. Advanced Micro Devices: ‘Advanced synchronization facility, proposed architectural specification (revision 2.1)’. AMD Inc., 2013:43, 2013.
    8. 8)
      • 8. Dice, D., Lev, Y., Moir, M., et al: ‘Early experience with a commercial hardware transactional memory implementation’, SIGARCH Comput. Archit. News, 2009, 37, (1), pp. 157168.
    9. 9)
      • 9. Guan, L., Lin, J., Luo, B., et al: ‘Protecting private keys against memory disclosure attacks using hardware transactional memory’. IEEE Symp. on Security and Privacy, May 2015, pp. 319.
    10. 10)
      • 10. Muller, T., Dewald, A., Freiling, F.C.: ‘AESSE a cold-boot resistant implementation of AES’. Proc. Third European Workshop on System Security, EUROSEC 2010, Paris, France, 13 April 2010, pp. 4247.
    11. 11)
      • 11. 20th USENIX Security Symp., San Francisco, CA, USA, 8–12 August 2011, Proceedings. USENIX Association, 2011.
    12. 12)
      • 12. Simmons, P.: ‘Security through amnesia: a software-based solution to the cold boot attack on disk encryption’. Proc. 27th Annual Computer Security Applications Conf. (ACSAC'11), ACM, New York, NY, USA, 2011, pp. 7382.
    13. 13)
      • 13. Gueron, S.: ‘Intel advanced encryption standard (AES) new instructions set’. Mobility Group, Israel Development Center, Intel Corporation, 2010.
    14. 14)
      • 14. Xilinx XAPP 374: ‘Cryptoblaze: 8-bit security microcontroller’, XAPP374 (v1.0), 2012:368, 26 September 2003.
    15. 15)
      • 15. Bartolini, S., Giorgi, R., Martinelli, E.: ‘Instruction set extensions for cryptographic applications’ (Springer, Boston, MA, 2009), pp. 191233.
    16. 16)
      • 16. Hodjat, A., Verbauwhede, I.: ‘High-throughput programmable cryptocoprocessor’, IEEE Micro, 2004, 24, (3), pp. 3445.
    17. 17)
      • 17. Pericas, M., Chaves, R., Gaydadjiev, G.N., et al: ‘Vectorized AES core for high-throughput secure environments’ in ‘High performance computing for computational science – VECPAR 2008’ (Springer-Verlag, Berlin, Heidelberg, 2008), pp. 8394.
    18. 18)
      • 18. Vassiliadis, S., Chaves, R., Kuzmanov, G.: ‘Reconfigurable cryptographic processor’. Proc. Workshop on Circuits, Systems and Signal Processing (ProRISC'06), Kyon, France, May 2006.
    19. 19)
      • 19. Paul, R., Chakrabarti, A., Ghosh, R.: ‘Multi core SSL/TLS security processor architecture and its {FPGA} prototype design with automated preferential algorithm’, Microprocess. Microsyst., 2016, 40, pp. 124136.
    20. 20)
      • 20. Amon, Y., Ashkenazi, A., Akselrod, D.: ‘Platform independent overall security architecture in multi-processor system-on-chip ICS for use in mobile phones and handheld devices’.  Proc. Conf. on Design, Automation and Test in Europe: Designers’ Forum, 2006, Budapest, Hungary, May 2006.
    21. 21)
      • 21. Anderson, R., Bond, M., Clulow, J., et al: ‘Cryptographic processors – a survey’, Proc. IEEE, 2006, 94, (2), pp. 357369.
    22. 22)
      • 22. Grand, M., Bossuet, L., Le Gal, B., et al: ‘Design and implementation of a multi-core crypto-processor for software defined radios’. Reconfigurable Computing: Architectures, Tools and Applications – 7th Int. Symp., ARC 2011 Proc., Belfast, UK, March 23–25 2011, pp. 2940.
    23. 23)
      • 23. Gaspar, L., Fischer, V., Bernard, F., et al: ‘HCrypt: a novel concept of crypto-processor with secured key management’. Int. Conf. on Reconfigurable Computing and FPGAs, Quintana Roo, Mexico, December 2010, pp. 280285.
    24. 24)
      • 24. Standaert, F.-X., van Oldeneel tot Oldenzeel, L., Samyde, D., et al: ‘Power analysis of FPGAs: how practical is the attack?’ (Springer, Berlin, Heidelberg, 2003), pp. 701710.
    25. 25)
      • 25. Gaspar, L., Fischer, V., Bossuet, L., et al: ‘Secure extension of FPGA general purpose processors for symmetric key cryptography with partial reconfiguration capabilities’, ACM Trans. Reconfigurable Technol. Syst., 2012, 5, (3), pp. 16:116:13.
    26. 26)
      • 26. Dierks, T., Rescorla, E.: ‘The transport layer security (TLS) protocol version 1.2’. 2008. Available at
    27. 27)
      • 27. Peeters, M., Bertoni, G., Daemen, J., et al: ‘KECCAK sponge function family main document’. Available at, accessed April 2009.
    28. 28)
      • 28. Shukla, S., Paul, R.: ‘A high speed KECCAK coprocessor for partitioned NSP architecture on FPGA platform’ (VDAT, India Springer, 2017).
    29. 29)
      • 29. Su, C.-P., Horng, C.-L., Huang, C.-T., et al: ‘A configurable AES processor for enhanced security’. Proc. Asia and South Pacific Design Automation Conf., 2005 (ASP-DAC 2005), Shanghai, China, January 2005, vol. 1, pp. 361366.
    30. 30)
      • 30. Provelengios, G., Kitsos, P., Sklavos, N., et al: ‘FPGA-based design approaches of KECCAK hash function’. 15th Euromicro Conf. on Digital System Design, Izmir, Turkey, September 2012, pp. 648653.
    31. 31)
      • 31. Kerckhof, S., Durvaux, F., Veyrat-Charvillon, N., et al: ‘Compact FPGA implementations of the five SHA-3 finalists’ (Springer, Berlin, Heidelberg, 2011), pp. 217233.
    32. 32)
      • 32. Latif, K., Muzaffar Rao, M., Mahboob, A., et al: ‘Novel arithmetic architecture for high performance implementation of SHA-3 finalist KECCAK on FPGA platforms’ (Springer, Berlin, Heidelberg, 2012), pp. 372378.
    33. 33)
      • 33. Akin, A., Aysu, A., Ulusel, O.C., et al: ‘Efficient hardware implementations of high throughput SHA-3 candidates keccak, luffa and blue midnight wish for single- and multi-message hashing’. Proc. 3rd Int. Conf. on Security of Information and Networks, SIN'10, ACM, New York, NY, USA, 2010, pp. 168177.
    34. 34)
      • 34. Moreira, N., Astarloa, A., Kretzschmar, U., et al: ‘Securing IEEE 1588 messages with message authentication codes based on the keccak cryptographic algorithm implemented in FPGAS’. IEEE 23rd Int. Symp. on Industrial Electronics (ISIE), Istanbul, Turkey, June 2014, pp. 18991904.
    35. 35)
      • 35. Honda, T., Guntur, H., Satoh, A.: ‘FPGA implementation of new standard hash function KECCAK’. IEEE 3rd Global Conf. on Consumer Electronics (GCCE), October 2014, pp. 275279.
    36. 36)
      • 36. Yalla, P., Homsirikamol, E., Kaps, J.P.: ‘Comparison of multi-purpose cores of KECCAK and AES’. Design, Automation Test in Europe Conf. and Exhibition (DATE), Grenoble, France, March 2015, pp. 585588.
    37. 37)
      • 37. Ahmed, K.E., Farag, M.M.: ‘Hardware/software co-design of a dynamically configurable SHA-3 system-on-chip (SOC)’. IEEE Int. Conf. on Electronics, Circuits, and Systems (ICECS), Cairo, Egypt, December 2015, pp. 617620.
    38. 38)
      • 38. Gaj, K., Homsirikamol, E., Rogawski, M., et al: ‘Comprehensive evaluation of high-speed and medium-speed implementations of five SHA-3 finalists using xilinx and altera FPGAS’, IACR Cryptology ePrint Archive, 2012, pp. 368.
    39. 39)
      • 39. Jungk, B., Apfelbeck, J.: ‘Area-efficient FPGA implementations of the SHA-3 finalists’. Int. Conf. on Reconfigurable Computing and FPGAs, Cancun, Mexico, November 2011, pp. 235241.
    40. 40)
      • 40. Winderickx, J., Daemen, J., Mentens, N.: ‘Exploring the use of shift register lookup tables for KECCAK implementations on Xilinx FPGAS’. 26th Int. Conf. on Field Programmable Logic and Applications (FPL), Lausanne, Switzerland, August 2016, pp. 14.
    41. 41)
      • 41. Michail, H.E., Ioannou, L., Voyiatzis, A.G.: ‘Pipelined SHA-3 implementations on FPGA: architecture and performance analysis’. Proc. Second Workshop on Cryptography and Security in Computing Systems, CS2'15. ACM, New York, NY, USA, 2015, pp. 13:1313:18.
    42. 42)
      • 42. Wang, H., Bai, G., Chen, H.: ‘A GBPS IPsec SSL security processor design and implementation in an FPGA prototyping platform’, J. Signal Process. Syst., 2010, 58, (3), pp. 311324.
    43. 43)
      • 43. Wang, C.-H., Lo, C.-Y., Lee, M.-S., et al: ‘A network security processor design based on an integrated SOC design and test platform’. Design Automation Conf., 2006 43rd ACM/IEEE, San Francisco, CA, USA, 2006, pp. 490495.
    44. 44)
      • 44. Lu, J., Lockwood, J.: ‘IPsec implementation on Xilinx Virtex-II Pro FPGA and its application’. Proc. 19th IEEE Int. Parallel and Distributed Processing Symp., 2005, Denver, CO, USA, April 2005, p. 158b.
    45. 45)
      • 45. McLoone, M., McCanny, J.V.: ‘A single-chip IPsec cryptographic processor’. IEEE Workshop on Signal Processing Systems, 2002 (SIPS'02), San Diego, CA, USA, October 2002, pp. 133138.
    46. 46)
      • 46. El Maraghy, M., Hesham, S., Abd El Ghany, M.A.: ‘Real-time efficient FPGA implementation of AES algorithm’. IEEE Int. SOC Conf., Erlangen, Germany, September 2013, pp. 203208.
    47. 47)
      • 47. Rais, M.H., Qasim, S.M.: ‘FPGA implementation of Rijndael algorithm using reduced residue of prime numbers’. 4th Int. Design and Test Workshop (IDT), Riyadh, Saudi Arabia, November 2009, pp. 14.
    48. 48)
      • 48. Motorola: ‘Mpc 190 security processor fact sheet motorola 2003’ (Freescale Semiconductor, 2003). Available at

Related content

This is a required field
Please enter a valid email address