The ICE-IP-63 (EIP-63) is a scalable high-performance, multi-channel cryptographic engine that offers AES-GCM operations as well as AES-CTR and GMAC on bulk data. Its flexible data path is suitable to scale from 100 Gbps to 2.4 Tbps to provide a tailored engine with minimal area for your application. The FIFO-like data interface makes it possible to perform frame processing for many different protocols, including MACsec, IPsec, and OTN security. The time-sliced processing architecture makes it possible to alternate data processing for different channels or tunnels simultaneously. Block switching can be done with a granularity of a single clock cycle. The engine is also designed to support FIPS vector processing.
The ICE-IP-63 is designed to support multiple use cases, including:
- Security for 5G Transport with FlexE
- TMS transport network: encryption for OTNsec and FlexO (ITU-T)
- PCIe or CXL (Compute Express) Link Encryption
- NVMe over Fabric Security
- Link Encryption: Security for any high-speed copper or fiber link with channel/link aggregation
- Applications where low and/or fixed latency operation is vital
How the ICE-IP-63 Multi-channel AES-GCM Engine Works
ICE-IP-63 is a packet-processing engine and contains input/output packet interfaces and interfaces intended for supplying key material.
Before cryptographic packet processing can start, the Host CPU must transfer the key material to the engine. The packet processing mode (bypass, encryption, authentication, direction, IV) is provided on a per packet basis.
After processing, the ICE-IP-63 engine outputs the result packet as well as ICV (if authentication is enabled).
The external system is responsible for the following items:
- Per-packet IV generation.
- Key lifetime management, ensures that the key is refreshed when the current key expires.
- Reacting on processing errors reported by the ICE-IP-63 engine
The ICE-IP-63 engine detects the following data path exceptions:
- IV counter overflow.
- When any RAM memory is read with an uncorrected error, its content cannot be trusted. Operation will continue normally but the report will be reported via an output pin.
- Uncorrectable ECC errors on data RAMs should be handled by an upper-layer module.
The ICE-IP-63 engine is ready for FIPS certification. This can be done by providing the FIPS CAVP validation vectors through the packet interface and performing the required transformations.
The following transformations are supported:
- AES-ECB encrypt (in CTR mode, using the IV as data input)
- AES-GCM encrypt/decrypt and authentication
- AES-CTR encrypt/decrypt
- AES-GMAC authentication
Configurations
The ICE-IP-63 engine has a scalable number of processing pipes and channels. It is available in different configurations, suitable for different applications to meet different gate count and throughput objectives. Available configurations scale from:
- 1-12 parallel pipelines
- 128-1536 bits/clock
- >1600 MHz (16nm)
- Option for keys in registers or memories
- Configurations available from 400K gates
Verification
- Set of test vectors for chip integration verification
- Integration test vectors in a human-readable format
- Python / Verilog based verification environment
- 100% verification coverage
