Design of an RC6™
Cryptography System
ECE 551 Course Project
Initial Report and Initial Verilog- Due Tuesday, November 26, 2002 (By 1:00 PM)
Final Report and Final Verilog - Due Tuesday, December 10, 2002 (By 1:00 PM)
Project Teams and Collaboration
Project teams are to consist of three students. All project work submitted by a team is to
be performed by that team. Design reuse from other teams currently in this course or in
the course in the past or from other sources is strictly prohibited. The only inter-team
collaboration permitted is clarification of specifications and assistance in tool use. Along
with your final report, you should turn in a brief (e.g., one page) description of the work
performed by each team member. All team members must sign this page.
Project Specification
This document contains a high-level description of the project, which includes a top-level
description of the design, block diagrams and signal specifications, a description of the
encryption and decryption algorithms, an overview of system timing, details on the
project testing methodology, and information on the initial and final reports. Additional
information related to synthesis will be provided in a supplemental project specification.
Top Level Description
The course project is to design a 16-bit version of an RC6 cryptography system. The RC6
cryptosystem is a block cipher cryptography system that performs private-key encryption
and decryption. It was one of five finalist considered by the National Institute of
Standards and Technology (NIST) for the new Advanced Encryption Standard. The RC6
block cipher consists of three components:
1) A key scheduler, which takes user-supplied keys and generates round keys.
2) An encryptor, which takes the round keys and plaintext and produces encrypted
ciphertext
3) A decryptor, which takes the round keys and the ciphertext and produces the
decrypted plaintext
For the course project, you will be implementing both the RC6 encryptor and decryptor.
You will be implementing the key schedule as part of Homework #5 and then modifying
it for use in your project. The encryptor and decryptor will be synthesized and then resimulated using post-synthesis timing information. The key scheduler and overall
testbench will be simulated, but do not need to be synthesized. A complete description of
the RC6 cryptography system is available from:
ftp://ftp.rsasecurity.com/pub/rsalabs/rc6/rc6v11.pdf
Additional details on RC6 are given at:
http://www.rsasecurity.com/rsalabs/rc6/
Block Diagram and Signal Specification
A block diagram of the 16-bit RC6 encryptor and decryptor is shown in Figure 1. Control
signals are active high. The following gives a description of the input and output signals
for the encryptor.
1. plaintext_e : This 16-bit data input signal corresponds to a word of plaintext data
that is to be encrypted. Four consecutive 16-bit plaintext_e values form a 64-bit
block that is to be encrypted.
2. round_keys_e : This 16-bit data input signal corresponds to one encryption round
key. A total of 44 round keys are used to encrypt and decrypt the data. Although the
encryptor and decryptor use identical round keys for a given block of data, separate
encryptor and decryptor round keys are provided, since they receive the round keys
at different times and processor the round keys in reverse order. This also allows the
decryptor to be deciphering one block, while the encryptor is ciphering the next.
3. start_e : This 1-bit control input signal tells the encryptor that it will start receiving
plaintext_e during the next cycle. This signal should only go high for one cycle.
4. reset : This 1-bit control input signal resets both the encryptor and decryptor. When
reset occurs, all registers are cleared and the controllers go to a known state.
5. clock : This 1-bit input signal corresponds to the system clock for the encryptor and
decryptor. Values are to be latched into registers at the positive edge of the clock.
6. ciphertext : This 16-bit data output signal corresponds to a word of ciphertext data
that has been encrypted and needs to be decrypted. Four consecutive 16-bit
ciphertext values form a 64-bit block that has been encrypted. The same signal is
used as an input to the decryptor.
7. ready_e : This 1-bit control output signal indicates that the encryptor is ready to
receive new plaintext. It goes high following a reset signal and stays high until the
start_e goes high. Once the encryptor has finished encrypting the data ready_e goes
high, until the next time start_e goes high.
8. start_d : This 1-bit control output signal tells the decryptor that the encryptor will
start sending ciphertext during the next cycle. This signal should only go high for
only one cycle. This same signal is used as an input to the decryptor.
The following gives a description of the input and output signals for the decryptor.
1. plaintext_d : This 16-bit data output signal corresponds to a word of plaintext data
that has been decrypted. Four consecutive 16-bit plaintext_d values form a 64-bit
block that has been decrypted. When the same round_keys are used, the plaintext_d
produced should be equivalent to the plaintext_e that was originally input.
2. round_keys_d : This 16-bit data input signal corresponds to one decryption round
key. (see the description of round_key_e for further details).
3. start_d : (see previous description)
4. reset : (see previous description)
5. clock : (see previous description)
6. ciphertext : (see previous description)
7. ready_d : This 1-bit control output signal indicates that the decryptor is ready to
receive new ciphertext. It goes high following a reset signal and stays high until the
start_d goes high. Once the decryptor has finished decrypting the data ready_d goes
high, until the next time start_d goes high.
16
=
1
round_keys_e16
=
start_e 1
ciphertext 16
=
1
plaintext_e
Encryptor
start_d
16
=
1
16
round_keys_d
=
1
plaintext_d
Decryptor
reset
clock
ready_e
reset
clock
ready_d
Figure 1: RC6 Encryptor and Decryptor Block Diagram.
Encryption and Decryption Algorithms
The 16-bit RC6 encryption and decryption algorithms are shown in Figures 2 and 3,
respectively. These figures show the high-level details of the encryption and decryption
algorithms, but do not specify the internal structure for the design or how the design
interacts with the control signals. The number of round keys r is a user-supplied
parameter, which has a value of 20 for this project. The encryption and decryption
algorithms have an initialization section, followed by a loop consisting of r rounds,
followed by a completion section. Each round, two round keys and mathematical
transformations are used to compute new values for A and C, and the values in registers
(A, B, C, D) rotate one position. All arithmetic operations are performed modulo 216,
such that only the 16 least significant bits of the result are kept. The operators a <<< b
and a >>> b indicate that a is rotated (left or right) by the amount given in the 4 least
significant bits of b.
RC6 Encryption Algorithm
Input:
Four 16-bit plaintext_e values stored in registers A, B, C, and D
2r + 4 16-bit round_key_e values S[0, …, 2r+3]
Output:
Four 16-bit ciphertext values stored in registers A, B, C, and D.
Procedure:
B = B + S[0];
D = D + S[1];
for i = 1 to r do {
t = (B × (2B + 1)) <<< 4;
u = (D × (2D + 1)) <<< 4;
A = ((A  t) <<< u) + S[2i];
C = ((C  u) <<< t) + S[2i + 1];
(A, B, C, D) = (B, C, D, A);
}
A = A + S[2r + 2];
C = C + S[2r + 3];
Figure 2: RC6 Encryption Algorithm.
RC6 Decryption Algorithm
Input:
Four 16-bit ciphertext values stored in registers A, B, C, and D
2r + 4 16-bit round_key_d values S[0, …, 2r+3]
Output:
Four 16-bit plaintext_d values stored in registers A, B, C, and D.
Procedure:
C = C  S[2r + 3];
A = A  S[2r + 2];
for i = r downto 1 do {
(A, B, C, D) = (D, A, B, C);
u = (D × (2D + 1)) <<< 4;
t = (B × (2B + 1)) <<< 4;
C = ((C  S[2i + 1]) >>> t)  u;
A = ((A  S[2i]) >>> u)  t;
}
D = D  S[1];
B = B  S[0];
Figure 3: RC6 Decryption Algorithm.
RC6 Signal Timing
The RC6 encryptor and decryptor have the following timing.
1. The reset signal going high resets both the encryptor and decryptor, which causes all
the datapath registers to be cleared, the ready_e and ready_d signals to go high, and
the start_d signal to go low.
2. Any time after the reset signal goes low and the ready_e signal goes high, the start_e
signal going high for one cycle indicates that the encryptor will receive one 16-bit
plaintext_e value per cycle for the next four cycles in the order A, B, C, D. The
start_e signal going high also causes the ready_e signal to go low in the following
cycle.
3. After the first two 16-bit plaintext_e values have been received, the encryptor
receives one 16-bit round_key_e value per cycle for the next (2r + 4) cycles in the
order S[0] to S[2r+3].
4. One cycle before the first 16-bit ciphertext value is ready, the start_d signal from the
encryptor to the decryptor goes high for one cycle to indicate that the decryptor will
receive one 16-bit ciphertext value per cycle for the next four cycles in the order A,
B, C, D. In the same cycle, the ready_e signal goes high to indicate that the encryptor
is now ready to receive new plaintext. The start_d signal going high also causes the
ready_d signal to go low in the following cycle.
5. After the first two 16-bit ciphertext values have been received, the decryptor receives
one 16-bit round_key_e value per cycle for the next (2r + 4) cycles in the order
S[2r+3] downto S[0].
6. One cycle before the first 16-bit plaintext_d value is ready, the ready_d signal goes
high. The plaintext_e values are output during the next four cycles in the order A, B,
C, D plaintext.
Table 1 depicts a valid timing schedule for the RC6 encryptor.. Signals that change in a
given cycle are shown in bold. Boxes that are outlined darker correspond to the RC6
encryption round loop, which run from 1 to r. Each 16-bit value in the plaintext is marked
with a ‘ to denote its new value in the ciphertext.
cycle reset ready_e start_e start_d plaintext_e round_key_e ciphertext
0
1
1
0
1
0
0
2
0
1
0
1
3
0
0
0
0
A
4
0
0
0
0
B
5
0
0
0
0
C
S[0]
6
0
0
0
0
D
S[1]
7
0
0
0
0
S[2]
2i+6
0
0
0
0
S[2i+1]
2i+7
0
0
0
0
S[2i+2]
2r+8
0
0
1
1
S[2r+3]
2r+9
0
1
0
0
A’
2r+10
0
1
0
0
B’
2r+11
0
1
0
0
C’
2r+12
0
1
0
0
D’
Testing Methodology
Your design should be tested by developing a testbench that
(1) Reads in plaintext, user-supplied keys, and expected ciphertext from a file
(2) Uses the key scheduler to take the user-supplied keys and generate the round keys
(3) Send the appropriate the control signals, plaintext, and round keys to the encryptor
and decryptor
(4) Tests to ensure that the ciphertext is correctly generated and that the plaintext from
the decryptor matches the plaintext to the encryptor. If discrepancies occur between
the expected results and actual results, errors should be reported.
More details on specific tests cases will be supplied at a later date.
Initial Report – Due Tuesday, November 26, 2002 (By 1:00 PM)
The initial report should illustrate your functionally correct, simulated design. It is not to
contain any synthesis results. However, it is strongly recommended that you perform the
analysis and elaboration steps of synthesis in order to insure that your Verilog is
compatible with Design Compiler’s capabilities. The initial report will be approximately
five to six pages long. You will not be provided any direct feedback on this report but we
will check and mark your progress based on this report. The initial report will be graded
and is worth 10 project points. For the initial report, submit the following:
1) A cover sheet giving the names of all team members
2) A diagram showing the logical hierarchy of your modules including module
names and brief descriptions of what each module does.
3) Detailed block diagrams for the encryptor and decryptor, which show registers,
functional units, multiplexers, control signals, etc.
4) State transition graphs or ASM charts for the finite state machines that control
your encryptor and decryptor.
5) Verilog code for your encryptor, decryptor, key scheduler, and testbench. This
code should be commented well.
6) Pre-synthesis simulation results for the modules from part 5. Include comments
and annotated waveform for ease of interpretation of results. Also indicate
whether or not results are correct and any known bugs.
Final Report - Due Tuesday, December 10, 2002 (By 1:00 PM)
The final report is to present the Verilog code from which the final synthesis was
performed and your synthesized results. For the final report, submit the following:
1) A cover sheet giving the names of all team members.
2) A diagram showing the logical hierarchy of your modules including module
names and corresponding brief descriptions.
3) Detailed block diagrams for the encryptor and decryptor, which show registers,
functional units, multiplexers, control signals, etc.
4) State transition graphs or ASM charts for the finite state machines that control
your encryptor and decryptor.
5) The final Verilog code for your encryptor, decryptor, key scheduler, and
testbench. This code should be commented well.
6) Post-synthesis simulation results for the modules from part 5. Include comments
and annotated waveform for ease of interpretation of results. Also indicate
whether or not results are correct and any known bugs.
7) A discussion of problems encountered and solutions.
8) A Synopsys report containing the following for your final design of the encryptor
and decryptor: attributes, clock, timing constraints, cells, and area for both
nominal and worst case library data.
9) A discussion of what, if any, measures you took to achieve the target clock
frequency and minimum area.
10) A tabulation of the Achieved Frequency, Achieved Area, and Figure of Merit for
the Nominal and Worst Case library data.
11) A quantitative comparison of the table values and discussion of the results in
terms of what you obtained and what you would expect for these cases.
12) A breakdown of tasks accomplished by each team member including percentage
contribution of team members to each individual or shared tasks signed by ALL
team members.
The final report will be graded and is worth 90 project points.