Professional Documents
Culture Documents
1.1 INTRODUCTION
1
1.2 POWER ANALYSIS
In Cryptography, power analysis is a form of side channel attack in which the
attacker studies the power consumption of cryptographic hardware device (such as a
smart card, tamperproof,”blackbox”, microchip, etc.).It can yield information about what
the device is doing, and including key and other secrets.
Since increasingly confidential data are being exchanged on electronic way an
ever greater importance is attached to the protection of the data. Where cryptosystems
are being used in real applications attacks have to be taken into account. Hard and
software implementations themselves present a vast field of attacks. Side-channel-
Attacks exploit information that leaks from a cryptographic device. Especially one of
these new attacks has attracted much attention since it has been announced. This method
is called Differential Power Analysis (DPA) and was presented in 1998 by Cryptography
Research. DPA uses the information that naturally leaks from a cryptographic hardware
device, namely the power consumption. A less powerful variant, the Simple Power
Analysis (SPA) was also announced by Cryptography Research. What does a DPA
attack require? First, an attacker must be able to precisely measure the power
consumption. Second, the attacker needs to know what algorithm is computed, and third
an attacker needs the plain or ciphertext. The strategy of the attacker is to make a lot of
measurements, and then divide them with the aid of some oracle into two or more
different sets. Then, statistical methods are used to verify the oracle. If and only if the
oracle was right, one can see noticeable peaks in the statistics.
1.2.1 Differential Power Analysis: is an extension of power analysis that can allow an
attacker to compute the intermediate values of data blocks and key blocks by statistically
analyzing data collected from multiple cryptographic operations.
2
The currents passing through a device are usually small, but standard digital
oscilloscopes equipment is precious and accurate enough to measure data –induced
variations. It is reasonable for a cryptosystem designer to assume that an adversary will
have access to such equipment.
Power analysis does not seek to find weaknesses in algorithm or protocols so
much as in their implementations. It provides a way to “see inside” otherwise
„tamperproof‟ hardware. For example, DES‟s key schedule involves rotating 28 – bit key
register. In order to save time, most implementations simply check the least significant
bit to see if it is a 1 . If so, divides the register by two and prepends the 1 at the left end.
Power analysis can show the difference between a register with a 1 and a register with a 0
at the end when this happens. This can leak information about key material. DES‟s
permutations, usually clumsily implemented in software, reveal even more information
through conditional branches.
Simple power analysis can most easily distinguish conditional branches in the
execution of the cryptographic program since a device does different things (requiring
different power) depending on which conditional branch is executed. For this reason, care
should be taken to ensure there should no differences (from a power perspective) in the
conditionals branches within cryptographic software implementations. All rotations,
3
permutations and logic operations (such as XOR) should take the same time and draw
equivalent power, no matter what the input.
Differential power analysis is more difficult to prevent, since even small biases in
the power consumption can lead to exploitable weaknesses. Some countermeasure
strategies involve algorithmic modifications such that the cryptographic operations occur
on data that is related to the actual value by some mathematical relationship that survives
the cryptographic operation. This is called blinding, and usually implies an algorithm
that is based on number theory, such as factoring or discrete algorithms.
Almost every digital circuit built today is based on Complementary Metal Oxide
Semiconductor (CMOS) technology. Therefore it is necessary to understand the power
consumption characteristics of this technology. If a CMOS gate changes its state, this
change can be measured at the Vdd (Vss) pin. The more circuits change their state, the
more power is dissipated. In a synchronous design, gates are clocked which means that
all gates change their state at the same time. Power dissipated by the circuit can be
monitored by using a small resistor Rm in series between Vdd (or Vss) and the true source
(or ground). The two most essential parts of the power consumption during a change of a
state are the dynamic charge respective discharge (appr. 85%) and the dynamic short
circuit current (appr. 15%). This is sketched on the example of an inverter shown in
figure 1.1. The output of each gate has a capacitive load, consisting of the parasitic
capacity of the connected wires and gates of the following stages. An input transition
4
results in an output transition, which discharges or charges this parasitic capacity, causing
a current flow to Vdd (or Vss). This current is the dynamic charge is the dynamic charge
resp. discharge current. By measuring current Flow on Vdd we can detect whether the
output changed from 0 to 1 or not.
Figure 1.1Inverter
In the DES the subkey splits up in eight blocks, one for every sbox. Therefore we
specify one target sbox for which we list all possible (=26) input values. We will refer to
such an input value as subkey block. As assumed above we know the ciphertext, and so
we can calculate the value of some of the bits in L15 for every possible subkey block. We
select one of these bits as our target bit. The value of the target bit is our selection
function D. If D=1 the corresponding power measurement will be put in sample set S1, if
D-0 it is classified to S0. This procedure is repeated for a lot of measurement, so at the
end we have, for every ciphertext and all subkey blocks, a classification of the
corresponding measurement. Let n denote the amount of ciphertext, respective
measurements. Then we can write all our classifications in a 26 x n matrix. So every line
represents a possible key for the target sbox, and every column represents the
classification of one ciphertext resp. measurement.
For the DPA attack go through all lines and build the two sample sets S0 and S1.
Then compute the mean (point wise) of the samples in the sets, M0 and M1, and compute
the difference. For the correct subkey block there must be a peak in the trace of the
difference.
5
1.7 ROM DESIGN AND EVALUATION AGAINST POWER ANALYSIS ATTACK
The ROM of 3-bit input, 8-bit output is as shown in figure 2.2. It consists of two
main components: a 3 to 8 decoder and a memory array. The decoder is made up of
eight 3-input AND gates each driven by a min-term of the 3 input signals. The memory
array is an array of pull-down N-type transistors, on each intersection of a horizontal
address line and a vertical data line. Increase the Hamming weight (the number of “1”s)
of the ROM content one by one.
These are two dimensions of freedom which cause power consumption variation
given a certain Hamming weight:
6
i. Duty cycle of address lines
ii. N-type transistors distribution
The duty cycle of address lines are not identical to each other, due to inverter
delay in the address decoder. When one address line is selected and the N-type
transistors on it are turned on, the power dissipation caused by short-circuit current is
approximately proportional to the duty cycle of selected address line. As a result, the
power consumption differs when locations of N-type transistors change between different
address lines.
The power consumption variation caused by duty cycle nuance can be exploited
to mask the linearity between the power and the Hamming weight. One may consider
increasing the duty cycle nuances in address lines. But the influence would be slight
since differences of some duty cycles are very small. Moreover, it increases the risk of
timing analysis attack which in turn cancels the improvement on power information
leakage.
An alternative is to modify the N-type transistor distribution by using extra
dummy bit line, i.e. to increase the scope of N-type transistor distribution over a larger
ROM whose circuit is shown in Figure 1.3.
Figure 1.3 8 x 8 ROM with extra bit lines, for random insertion
7
1.7.3 Dual-rail ROM design
8
1.8 RANDOM NUMBER GENERATOR
1.8.1 INTRODUCTION
9
internal to the device achieves better security since these data do not need to be passed to
the FPGA via the pins.
In many applications, highly secure random numbers are required only at very low
bit rates, perhaps to generate a single key for the lifetime of the application. An example
is public key cryptography where, once a key pair is generated, the same key is used for
subsequent applications. The TRNG and PRNG reported in this paper are designed for
low bit rate applications and both are able to generate highly secure random numbers
while occupying minimal resources. They are particularly suitable for applications where
integration of the RNG and other cryptographic algorithms on the same FPGA is
required.
Given the importance of random number generation, surprisingly few hardware
implementations of TRNGs have been reported. There are three commonly used
techniques namely oscillator sampling, direct amplification and discrete time chaos. In
the oscillator sampling approach, period variation (i.e. oscillator jitter) in a low frequency
clock of low quality factor (Q) is exploited by using it to sample a high frequency clock.
The direct amplification technique digitizes thermal or shot noise, using a amplifier and
comparator. Finally, chaotic systems can be used to produce TRNGs.
10
1.9.2 True Random Number Generators (TRNGs):
11
CHAPTER – 2
CRYPTOGRAPHY
12
2.3 Threats in communication
2.3.1 Information access threat:
Modification of the data without the knowledge of sender and then transmit the data.
Secret key: The secret key is also input to the encryption algorithm. The key is a value
independent of the plaintext. The algorithm will produce a different output depending on
the specific key being used at the time. The exact substitutions and transformations
performed by the algorithm depend on the key.
13
Secret key shared by Secret key shared by
Sender and recipient sender and recipient
Transmitted Decryption
Encryption
Process Process
Cipher text
Plaintext Encryption Algorithm Decryption Algorithm Plaintext
Input (e.g., TDES) (reverse of Encryption output
Algorithm)
Figure-2.1. Simplified Model of Conventional Encryption
Cryptanalyst
Figure 2.2 X
K
Message X Y X
Encryption Decryption Destination
source
Algorithm Algorithm
Key
Source
14
A source produces a message in plaintext, X=[X1, X2, X3. . . , XM].The M
elements of X are letters in some finite alphabet. Traditionally, the alphabet usually
consisted of the 26 capital letters. Nowadays, the binary alphabet {0, 1} is typically used.
For encryption, a key of the form K= [K1, K2, K3……., KJ] IS GENERATED. If the
key is generated at the message source, then it must also be provided to the destination by
means of some secure channel. Alternatively, a third party could generate the key and
securely deliver it to both source and destination.
With the message X and the encryption key K as input, the encryption algorithm
forms the ciphertext Y=[Y1, Y2, Y3, . . . . . . . ., YN]. We can write this as
Y=EK(X)
This notation indicates that Y is produced by using encryption
algorithm E as a function of the plaintext X, with the specific function determined by the
value of the key K.
The intended receiver, in possession of the key, is able to invert the transformation:
X=DK(Y)
An opponent, observing Y but not having access to K or X, may attempt to
recover X or K or both X and K. It is assumed that the opponent knows the encryption
(E) and decryption (D) algorithms. If the opponent is interested in only this particular
message, then focus of the effort is to recover X by generating a plaintext estimate X.
Often, however, the opponent is interested in being able to read future messages as well,
in which case an attempt is made to recover K by generating an estimate K.
15
CHAPTER – 3
3.1.1 Encryption
Many people are not aware that the information they send or the files stored on
their computers needs to be protected, however when you consider what you have on
your computer and the many ways it can fall into the wrong hands, it does start to make
sense to protect your privacy in some way.
16
Key technology: encryption. Store and transmit information in an encoded form that does
not make any sense. The basic mechanism:
* Start with text to be protected. Initial readable text is called clear text.
* Encrypt the clear text so that it does not make any sense at all. The nonsense
text is called cipher text. The encryption is controlled by a secret password or number;
this is called the encryption key.
The encrypted text can be stored in a readable file, or transmitted over unprotected
channels.
3.1.2 Decryption
To make sense of the cipher text, it must be decrypted back into clear text. This is
done with some other algorithm that uses another secret password or number, called the
decryption key.
17
* The encryption function cannot easily be inverted (cannot get back to clear text unless
you know the decryption key).
* The encryption and decryption must be done in some safe place so the clear text cannot
be stolen.
* The keys must be protected. In most systems, can compute one key from the other
(sometimes the encryption and decryption keys are identical), so cannot afford to let
either key leak out.
18
Figure-3.2 DES algorithm
Why DES?
19
Over comes.
v) In the RSA algorithm we use two keys whereas in DES we use only one key for
both encryption and decryption.
vi) There is only one round process in RSA whereas there are 16 rounds of process
in DES.
3.2.1 Applications
The DES core can be utilized for a variety of encryption applications including:
3.2.2 Features
20
56 bits of security
For use in FPGA or ASIC designs
Verilog IP Core
Pipelined version
3.3 Triple-DES:
Use of multiple length keys leads us to the Triple-DES algorithm, in which DES
is applied three times. Triple DES is simply another mode of DES operation. It takes
three 64-bit keys, for an overall key length of 192 bits. In Private Encryption, you simply
type in the entire 192-bit (24 character) key rather than entering each of the three keys
individually. The Triple DES DLL then breaks the user provided key into three sub keys,
padding the keys if necessary so they are each 64 bits long. The procedure for encryption
is exactly the same as regular DES, but it is repeated three times. Hence the name Triple
DES, The data is encrypted with the first key, decrypted with the second key, and finally
encrypted again with the third key. Triple DES, also known as 3DES.
Consequently, Triple DES runs three times slower than standard DES, but is
much more secure if used properly. The procedure for decrypting something is the same
as the procedure for encryption, except it is executed in reverse. Like DES, data is
encrypted and decrypted in 64-bit chunks. Unfortunately, there are some weak keys that
one should be aware of: if all three keys, the first and second keys, or the second and
third keys are the same, then the encryption procedure is essentially the same as standard
DES. This situation is to be avoided because it is the same as using a really slow version
of regular DES.
21
Note that although the input key for DES is 64 bits long, the actual key used by
DES is only 56 bits in length. The least significant (right-most) bit in each byte is a parity
bit, and should be set so that there are always an odd number of 1s in every byte. These
parity bits are ignored, so only the seven most significant bits of each byte are used,
resulting in a key length of 56 bits. This means that the effective key strength for Triple
DES is actually 168 bits because each of the three keys contains 8 parity bits that are not
used during the encryption process.
If we consider a triple length key to consist of three 56-bit keys K1, K2, K3 then
encryption is as follows:
•EncryptwithK1
•DecryptwithK2
•Encrypt with K
Decryption is the reverse process:
•Decrypt with K3
•Encrypt with K2
•Decrypt with K1
Setting K3 equal to K1 in these processes gives us a double length key K1, K2.
22
Setting K1, K2 and K3 all equal to K has the same effect as using a single-length (56-bit
key). Thus it is possible for a system using triple-DES to be compatible with a system
using single-DES.
23
In each round the key bits are shifted, and then 48 – bits are selected from the 56
–bits of the key. The right half of the data is expanded to 48 – bits via an expansion
permutation, combined with 48 –bits of a shifted and permuted key via an XOR, sent
through 8 S- boxes producing 32- new bits, and permuted again. These four operations
make up Function f. The output of Function f is then combined with the left half via
another XOR. The results of these operations become the new right half; the old right half
becomes the new left half. These operations are repeated sixteen times, making 16 rounds
of DES.
24
Figure 3.6 Single Round of DES
25
3.4 Initial permutation (IP)
Table 3.1 specifies the input permutation on a 64-bit block. The meaning is as
follows: the first bit of the output is taken from the 58th bit of the input; the second bit
from the 50th bit, and so on, with the last bit of the output taken from the 7th bit of the
input.
The initial permutation occurs before round one; it transposes the input block as
described in table 3.1 this table, like all the other tables in this chapter , should be read
left to right, top to bottom. For example, the initial permutation moves bit 58 of the
plaintext to bit position 1, bit 50 to bit position 2, and so forth. The initial permutation
and the corresponding final permutation do not affect DES„s security.
26
3.5 Final permutation (IP-1)
IP-1
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
The final permutation is the inverse of the initial permutation; the table is
interpreted similarly. This is shown in table 3.2.
27
3.6 Expansion permutation (E)
The expansion permutation is interpreted as for the initial and final permutations.
Note that some bits from the input are duplicated at the output; e.g. the fifth bit of the
input is duplicated in both the sixth and eighth bit of the output. Thus, the 32-bit half-
block is expanded to 48 bits.
This operation expands the right half of the data, RI, from 32-bits to 48 bits.
Because this operation changes the order of the bits as well as repeating certain bits, it is
known as an expansion permutation. This operation has two purposes: it makes the right
half the same size as the key for the XOR operation and it provides a longer result that
can be compressed during the substitution operation. However, neither of those is its
main cryptographic purpose. By allowing one bit to affect two substitutions, the
dependency of the output bits on the input bits spreads faster. This is called an avalanche
effect. This is shown in table 3.3.
28
3.7 Permutation (P)
Figure-3.10 Permutation
Table-3.4 Permutation
P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
The 32 – bit output of the S –box substitution is permuted according to a P –box. This
permutation maps each input bit to an output position; no bits are used twice and no bits
are ignored. This is called a straight permutation or just a permutation. This is shown in
table 3.4.
29
3.8 Permuted choice 1 (PC-1)
PC-1
Left
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
Right
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
The "Left" and "Right" halves of the table show which bits from the input key
form the left and right sections of the key schedule state. Note that only 56 bits of the 64
bits of the input are selected; the remaining eight were specified for use as parity bits.
The DES performs a function, on 64 – bits key to generate sixteen 48 bit keys.
Which are k1, K2, k3, .k16.First it does an initial permutation on the 56 useful bits of the
key, to generate a 56 –bit output, which it divides into two 28 bit values, called Co and
Do. The permutation is specified as in Table 4.5.
30
3.9 Permuted choice 2 (PC-2)
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
The permutations in this case are likely to be of some security value. The
permutation of Ci that produces the left half of Ki is shown in Table 3.6.Note that bits 9,
18, 22 and 25 are discarded.
The permutations of the rotated Di – 1 that produces right half of Ki is shown in
Table 3.6.Bits 35, 38, 43, and 54 are discarded. Each of the halves of the Ki is 24 –bits,
so Ki is 48- bits long.
31
3.9 Substitution boxes (S-boxes)
After the compressed key is XORed with expanded block, the 48 – bit result
moves to a substitution operation. The substitutions are performed by eight substitution
boxes, or S-boxes. Each S – box has a 6-bit input and a 4-bit output, and there are eight
different S-boxes. The total memory requirements for the eight DES S-boxes are 256
bytes. The 48 bits are divided into eight 6-bit sub-blocks. Each separate block is operated
on by a separate S-box: The first block is operated on by S-box 1; the second block is
operated on by S-box 2, and so on.
32
S2
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S3
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S7
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S8
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
Table 3.7 lists the eight S-boxes used in DES. Each S-box replaces a 6-bit input
with a 4-bit output. Given a 6-bit input, the 4-bit output is found by selecting the row
using the outer two bits, and the column using the inner four bits. For example, an input
"011011" has outer bits "01" and inner bits "1101"; the corresponding output would be
"1001". . .
33
Figure 3.7.1 E table
34
Figure 3.7.4 Permuted choice one (PC-2)
Before the round subkey is selected, each half of the key schedule state is rotated
left by a number of places. This table specifies the number of places rotated.
Triple DES has two attractions that assure its widespread use over the next few
years. First, with its 168-bit key length, it overcomes the vulnerability to brute-force
attack of DES. Second, the underlying encryption algorithm in Triple DES is the same as
in DES. This algorithm has been subjected to more scrutiny than any other encryption
algorithm over a longer period of time, and no effective cryptanalytic attack based on the
algorithm rather than brute-force has been found. Accordingly, there is a high level of
confidence that 3DES is very resistant to cryptanalysis. If security were the only
consideration, then 3DES would be an appropriate choice for a standardized encryption
algorithm for decades to come.
35
Figure-3.14 Key schedule calculation
36
Figure-3.15 Feistel Decryption Algorithm
37
3.12 DES Decryption
3.13 Applications
The DES3 core can be utilized for a variety of encryption applications including:
3.13.1 Features
38
Non Pipelined version
Pipelined version
39
ALGORITHM FOR TDES
ENCRYPTION
Step1:k1, K2, k3 are the keys in key expander with the selection function.
Step2: If selection function is active i.e. „1‟ then encryption process is activated with key k1.And
this encryption output is given to input of the decryption i.e. selection function is „0‟ with key
K2.
Step3: Decryption output is given to input of encryption i.e. if selection function is „1‟ with k3.
DECRYPTION
step4: It is the reverse process of encryption.
ENCRYPTION
Step 1: Initial input data applied is 64 bits.
Step2: The initial permuted data 64 bits is divided into right (32bits) i.e. r0 and left (32bits) i.e.
l0.
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 left (32 bits) even
64 56 48 40 32 24 16 8
57 49 41 33 25 17 19 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5 Right (32 bits) odd
63 55 47 39 31 23 15 7
Here each row difference is 8 and column difference is2.
Step3: The right 32bits is given to expansion box where a block gets 48 bits as output written as
8 block.
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 33
32 33 34 35 36 37
36 37 38 39 40 41
40 41 42 43 44 45
44 45 46 47 48
40
Step4: 56 bits of key length is compressed to 48 bits.
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 19 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
Step5:48bits of key length and expansion of 48 bits as XORed and get 48 bits as output.
Key-110000
Expansion-110000
Step6:48 bits of data is given to substitution box s1 to s8 and each block has 64 bits as input and
yields 48 bits block as output i.e. 32 bits.
Step7: pbox yields a 32 bits output and 32bits input by shifting the right and left the bits of the
input blocks.
Step8:32bits are XORed with left 32 bits. so, that total output is 64 bits.
step9: The total procedure repeats till it completes 16 rounds.
41
SCOPE AND FUTURE DEVELOPMENT
For the foreseeable future Triple DES is an excellent and reliable choice for the
security needs of highly sensitive information. The AES will be at least as strong as
Triple DES and probably much faster.
It's the industry mandate from Visa and MasterCard that's requiring ATM
deployers to upgrade and/or replace their legacy terminals. In a nutshell, it's all about
three waves of encryption, and it's designed to make ATM transactions more secure.
42
VHDL
1. Introduction
VHDL stands for VHSIC (Very High Speed Integrated Circuits) Hardware Description
Language. In the mid-1980‟s the U.S. Department of Defense and the IEEE sponsored
the development of this hardware description language with the goal to develop very
high-speed integrated circuit. It has become now one of industry‟s standard languages
used to describe digital systems. The other widely used hardware description language is
Verilog. Both are powerful languages that allow you to describe and simulate complex
digital systems. A third HDL language is ABEL (Advanced Boolean Equation
Language) which was specifically designed for Programmable Logic Devices (PLD).
ABEL is less powerful than the other two languages and is less popular in industry. This
tutorial deals with VHDL, as described by the IEEE standard 1076-1993.
Although these languages look similar as conventional programming languages, there are
some important differences. A hardware description language is inherently parallel, i.e.
commands, which correspond to logic gates, are executed (computed) in parallel, as soon
as a new input arrives. A HDL program mimics the behavior of a physical, usually
digital, system. It also allows incorporation of timing specifications (gate delays) as well
as to describe a system as an interconnection of different components.
A digital system can be represented at different levels of abstraction [1]. This keeps the
description and design of complex systems manageable. Figure 1 shows different levels
of abstraction.
43
Figure 1: Levels of abstraction: Behavioral, Structural and Physical
The highest level of abstraction is the behavioral level that describes a system in
terms of what it does (or how it behaves) rather than in terms of its components and
interconnection between them. A behavioral description specifies the relationship
between the input and output signals. This could be a Boolean expression or a more
abstract description such as the Register Transfer or Algorithmic level. As an example,
let us consider a simple circuit that warns car passengers when the door is open or the
seatbelt is not used whenever the car key is inserted in the ignition lock At the behavioral
level this could be expressed as,
VHDL allows one to describe a digital system at the structural or the behavioral
level. The behavioral level can be further divided into two kinds of styles: Data flow and
44
Algorithmic. The dataflow representation describes how data moves through the system.
This is typically done in terms of data flow between registers (Register Transfer level).
The data flow model makes use of concurrent statements that are executed in parallel as
soon as data arrives at the input. On the other hand, sequential statements are executed in
the sequence that they are specified. VHDL allows both concurrent and sequential signal
assignments that will determine the manner in which they are executed. Examples of both
representations will be given later.
A digital system in VHDL consists of a design entity that can contain other
entities that are then considered components of the top-level entity. Each entity is
modeled by an entity declaration and an architecture body. One can consider the entity
declaration as the interface to the outside world that defines the input and output signals,
while the architecture body contains the description of the entity and is composed of
interconnected entities, processes and components, all operating concurrently, as
schematically shown in Figure 3 below. In a typical design there will be many such
entities connected together to perform the desired function.
45
comments start with two adjacent hyphens (--) and will be ignored by the compiler.
VHDL also ignores line breaks and extra spaces. VHDL is a strongly typed language
which implies that one has always to declare the type of every object that can have a
value, such as signals, constants and variables.
a. Entity Declaration
The entity declaration defines the NAME of the entity and lists the input and output ports.
The general form is as follows,
End [NAME_OF_ENTITY];
An entity always starts with the keyword entity, followed by its name and the
keyword is. Next are the port declarations using the keyword port. An entity declaration
always ends with the keyword end, optionally [] followed by the name of the entity.
46
out – indicates that the signal is an output of the entity whose value can
only be read by other entities that use it.
buffer – indicates that the signal is an output of the entity whose value can
be read inside the entity‟s architecture
inout – the signal can be an input or an output.
type: a built-in or user-defined signal type. Examples of types are bit, bit_vector,
Boolean, character, std_logic, and std_ulogic.
generic: generic declarations are optional and determine the local constants used
for timing and sizing (e.g. bus widths) the entity. A generic can have a default value.
The syntax for a generic follows,
Generic (
47
The entity is called BUZZER and has three input ports, DOOR, IGNITION and
SBELT and one output port, WARNING. Notice the use and placement of
semicolons! The name BUZZER is an identifier. Inputs are denoted by the keyword
in, and outputs by the keyword out. Since VHDL is a strongly typed language, each
port has a defined type. In this case, we specified the std_logic type. This is the
preferred type of digital signals. In contrast to the bit type that can only have the
values „1‟ and „0‟, the std_logic and std_ulogic types can have nine values. This is
important to describe a digital system accurately including the binary values 0 and 1,
as well as the unknown value X, the uninitialized value U, “-” for don‟t care, Z for
high impedance, and several symbols to indicate the signal strength (e.g. L for weak
0, H for weak 1, W for weak unknown - see section on Enumerated Types). The
std_logic type is defined in the std_logic_1164 package of the IEEE library. The type
defines the set of values an object can have. This has the advantage that it helps with
the creation of models and helps reduce errors. For instance, if one tries to assign an
illegal value to an object, the compiler will flag the error.
b. Architecture body
The architecture body specifies how the circuit operates and how it is
implemented. As discussed earlier, an entity or circuit can be specified in a variety of
ways, such as behavioral, structural (interconnected components), or a combination of the
above.
-- Declarations
-- Components declarations
-- signal declarations
-- Constant declarations
48
-- Function declarations
-- Procedure declarations
-- Type declarations
Begin
-- Statements
End architecture_name;
Behavioral model
The header line of the architecture body defines the architecture name, e.g.
behavioral, and associates it with the entity, BUZZER. The architecture name can be any
legal identifier. The main bodies of the architecture starts with the keyword begin and
give the Boolean expression of the function. We will see later that a behavioral model can
be described in several other ways. The “<=” symbol represents an assignment operator
and assigns the value of the expression on the right to the signal on the left. The
architecture body ends with an end keyword followed by the architecture name.
The statements in the body of the architecture make use of logic operators. Logic
operators that are allowed are: and, or, nand, nor, xor, xnor and not. In addition, other
types of operators including relational, shift, arithmetic are allowed as well (see section
on Operators). For more information on behavioral modeling see section on Behavioral
Modeling.
49
Concurrency
It is worth pointing out that the signal assignments in the above examples are
concurrent statements. This implies that the statements are executed when one or more of
the signals on the right hand side change their value (i.e. an event occurs on one of the
signals). For instance, when the input A changes, the internal signals X and Y change
values that in turn causes the last statement to update the output Z. There may be a
propagation delay associated with this change. Digital systems are basically data-driven
and an event which occurs on one signal will lead to an event on another signal, etc. The
execution of the statements is determined by the flow of signal values. As a result, the
order in which these statements are given does not matter (i.e., moving the statement for
the output Z ahead of that for X and Y does not change the outcome). This is in contrast
to conventional, software programs that execute the statements in a sequential or
procedural manner.
Structural description
The circuit of Figure 2 can also be described using a structural model that specifies what
gates are used and how they are interconnected. The following example illustrates it.
-- Declarations
Component AND2
End component;
Component OR2
50
out1: out std_logic);
End component;
Component NOT1
End component;
Begin
End structural;
Following the header is the declarative part that gives the components (gates)
that are going to be used in the description of the circuits. In our example, we use a two-
input AND gate, two-input OR gate and an inverter. These gates have to be defined first,
i.e. they will need an entity declaration and architecture body (as shown in the previous
51
example). These can be stored in one of the packages one refers to in the header of the
file (see Library and Packages below). The declarations for the components give the
inputs (e.g. in1, in2) and the output (e.g. out1). Next, one has to define internal nets
(signal names). In our example these signals are called DOOR_NOT, SBELT_NOT, B1,
B2 (see Figure 2). Notice that one always has to declare the type of the signal.
The statements after the begin keyword gives the instantiations of the components
and describes how these are interconnected. A component instantiation statement creates
a new level of hierarchy. Each line starts with an instance name (e.g. U0) followed by a
colon and a component name and the keyword port map. This keyword defines how the
components are connected. In the example above, this is done through positional
association: DOOR corresponds to the input, in1 of the NOT1 gate and DOOR_NOT to
the output. Similarly, for the AND2 gate where the first two signals (IGNITION and
DOOR_NOT) correspond to the inputs in1 and in2, respectively, and the signal B1 to the
output out1. An alternative way is to use explicit association between the ports, as shown
below.
U0: NOT1 port map (in1 => DOOR, out1 => DOOR_NOT);
U1: NOT1 port map (in1 => SBELT, out1 => SBELT_NOT);
U2: AND2 port map (in1 => IGNITION, in2 => DOOR_NOT, out1 => B1);
U3: AND2 port map (in1 => IGNITION, in2 => SBELT_NOT, B2);
U4: OR2 port map (in1 => B1, in2 => B2, out1 => WARNING);
Notice that the order in which these statements are written has no bearing on the
execution since these statements are concurrent and therefore executed in parallel.
Indeed, the schematic that is described by these statements is the same independent of the
order of the statements.
52
Structural modeling of design lends itself to hierarchical design, in which one can define
components of units that are used over and over again. Once these components are
defined they can be used as blocks, cells or macros in a higher level entity. This can
significantly reduce the complexity of large designs. Hierarchical design approaches are
always preferred over flat designs.
Library ieee ;
use ieee.std_logic_1164.all;
ieee Library:
53
To use any of these one must include the library and use clause:
library ieee;
use ieee.std_logic_1164.all;
use ieee.std_logic_arith.all;
use ieee.std_logic_unsigned.all;
library SYNOPSYS;
use SYNOPSYS.attributes.all;
One can add other libraries and packages. The syntax to declare a package is as follows:
-- Package declaration
Package name_of_package is
Package declarations
For instance, the basic functions of the AND2, OR2, NAND2, NOR2, XOR2, etc.
components need to be defined before one can use them.
54
4. Lexical Elements of VHDL
a. Identifiers
Identifiers are user-defined words used to name objects in VHDL models. We have seen
examples of identifiers for input and output signals as well as the name of a design entity
and architecture body. When choosing an identifier one needs to follow these basic rules:
May contain only alpha-numeric characters (A to Z, a to z, 0-9) and the underscore (_)
character
The first character must be a letter and the last one cannot be an underscore.
An identifier is case insensitive (ex. And2 and AND2 or and2 refer to the same object)
The above identifiers are called basic identifiers. The rules for these basic
identifiers are often too restrictive to indicate signals. For example, if one wants to
indicate an active low signal such as an active low RESET, one cannot call it /RESET. In
order to overcome these limitations, there are a set of extended identifier rules which
allow identifiers with any sequence of characters.
55
Inside the two backslashes one can use any character in any order, except that a
backslash as part of an extended identifier must be indicated by an additional backslash.
As an example, to use the identifier BUS:\data, one writes: \BUS:\data\
Extended identifiers are allowed in the VHDL-93 version but not in VHDL-87
Certain identifiers are used by the system as keywords for special use such as
specific constructs. These keywords cannot be used as identifiers for signals or objects
we define. We have seen several of these reserved words already such as in, out, or, and,
port, map, end, etc. Keywords are often printed in boldface, as is done in this tutorial. For
a list of all the keywords click on complete keyword list. Extended identifiers can make
use of keywords since these are considered different words (e.g. the extended identifier
\end\ is allowed.
c. Numbers
The default number representation is the decimal system. VHDL allows integer
literals and real literals. Integer literals consist of whole numbers without a decimal point,
while real literals always include a decimal point. Exponential notation is allowed using
the letter “E” or “e”. For integer literals the exponent must always be positive. Examples
are:
56
CONCLUSION
As DES will run through 16 iterations to achieve its desired cipher text (final
output).With Triple DES, it will Encrypt-Decrypt-Encrypt the block and a completely
different output is generated with a final combination. It‟s said that the security is 192 bit
encryption, but also argued that regardless of the keys, the security is only 168 bit. This
debate is clearly beyond the scope of this article/writer. If you wish to participate with the
scientists in their discussions, it‟s your humility at stake. It's a safe but that Triple DES is
exponentially stronger than the previous DES.
After that, AES may supplant Triple DES as the default algorithm on most
systems if it lives up to its expectations. But Triple DES will be kept around for
compatibility reasons for many years after that. So the useful lifetime of Triple DES is far
from over, even with the AES near completion.
57