1 |
2 |
schengopen |
////////////////////////////////////////////////////////////////// ////
|
2 |
|
|
//// ////
|
3 |
|
|
//// AES Decryption Core for FPGA ////
|
4 |
|
|
//// ////
|
5 |
|
|
//// This file is part of the AES Decryption Core for FPGA project ////
|
6 |
|
|
//// http://www.opencores.org/cores/xxx/ ////
|
7 |
|
|
//// ////
|
8 |
|
|
//// Description ////
|
9 |
|
|
//// Implementation of AES Decryption Core for FPGA according to ////
|
10 |
|
|
//// core specification document. ////
|
11 |
|
|
//// ////
|
12 |
|
|
//// To Do: ////
|
13 |
|
|
//// - ////
|
14 |
|
|
//// ////
|
15 |
|
|
//// Author(s): ////
|
16 |
|
|
//// - scheng, schengopencores@opencores.org ////
|
17 |
|
|
//// ////
|
18 |
|
|
//////////////////////////////////////////////////////////////////////
|
19 |
|
|
//// ////
|
20 |
|
|
//// Copyright (C) 2009 Authors and OPENCORES.ORG ////
|
21 |
|
|
//// ////
|
22 |
|
|
//// This source file may be used and distributed without ////
|
23 |
|
|
//// restriction provided that this copyright statement is not ////
|
24 |
|
|
//// removed from the file and that any derivative work contains ////
|
25 |
|
|
//// the original copyright notice and the associated disclaimer. ////
|
26 |
|
|
//// ////
|
27 |
|
|
//// This source file is free software; you can redistribute it ////
|
28 |
|
|
//// and/or modify it under the terms of the GNU Lesser General ////
|
29 |
|
|
//// Public License as published by the Free Software Foundation; ////
|
30 |
|
|
//// either version 2.1 of the License, or (at your option) any ////
|
31 |
|
|
//// later version. ////
|
32 |
|
|
//// ////
|
33 |
|
|
//// This source is distributed in the hope that it will be ////
|
34 |
|
|
//// useful, but WITHOUT ANY WARRANTY; without even the implied ////
|
35 |
|
|
//// warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR ////
|
36 |
|
|
//// PURPOSE. See the GNU Lesser General Public License for more ////
|
37 |
|
|
//// details. ////
|
38 |
|
|
//// ////
|
39 |
|
|
//// You should have received a copy of the GNU Lesser General ////
|
40 |
|
|
//// Public License along with this source; if not, download it ////
|
41 |
|
|
//// from http://www.opencores.org/lgpl.shtml ////
|
42 |
|
|
//// //// ///
|
43 |
|
|
///////////////////////////////////////////////////////////////////
|
44 |
|
|
//// ////
|
45 |
|
|
//// Decryption engine ////
|
46 |
|
|
//// ////
|
47 |
|
|
//// This module implements the inverse cipher algorithm in ////
|
48 |
|
|
//// fig. 12 of FIPS-179 specification. ////
|
49 |
|
|
//// ////
|
50 |
|
|
////////////////////////////////////////////////////////////////////////
|
51 |
|
|
module decrypt(
|
52 |
|
|
input [0:127] ct,
|
53 |
|
|
input ct_vld,
|
54 |
|
|
output ct_rdy,
|
55 |
|
|
|
56 |
|
|
input [0:127] rkey,
|
57 |
|
|
input rkey_vld,
|
58 |
|
|
output next_rkey,
|
59 |
|
|
|
60 |
|
|
output [0:127] pt,
|
61 |
|
|
output pt_vld,
|
62 |
|
|
|
63 |
|
|
input [0:1] klen_sel, // Key length select. 00->128-bit, 01->192-bit, 10->256-bit, 11->invalid
|
64 |
|
|
|
65 |
|
|
input clk,
|
66 |
|
|
input rst
|
67 |
|
|
);
|
68 |
|
|
|
69 |
|
|
logic [0:127] State;
|
70 |
|
|
logic [14:0] decrypt_state;
|
71 |
|
|
|
72 |
|
|
wire [0:127] inv_shiftrows_out;
|
73 |
|
|
wire [0:127] inv_subbytes_out;
|
74 |
|
|
wire [0:127] inv_addrkey_out;
|
75 |
|
|
wire [0:127] inv_mixcol_out;
|
76 |
|
|
wire bypass_inv_mixcol;
|
77 |
|
|
wire load_new_ct;
|
78 |
|
|
wire last_round;
|
79 |
|
|
|
80 |
|
|
logic pt_vld_reg;
|
81 |
|
|
|
82 |
|
|
InvShiftRows InvShiftRows_u(.din(State), .dout(inv_shiftrows_out));
|
83 |
|
|
(* KEEP_HIERARCHY = "yes" *) InvSubBytes InvSubBytes_u(.din(inv_shiftrows_out), .dout(inv_subbytes_out));
|
84 |
|
|
(* KEEP_HIERARCHY = "yes" *) InvAddRoundKey InvAddRoundKey_u(.din0(inv_subbytes_out), .din1(ct), .rkey(rkey), .S(load_new_ct), .dout(inv_addrkey_out));
|
85 |
|
|
(* KEEP_HIERARCHY = "yes" *) InvMixColumns InvMixColumns_u(.din(inv_addrkey_out), .dout(inv_mixcol_out), .bypass(bypass_inv_mixcol));
|
86 |
|
|
|
87 |
|
|
// Decryption state machine, one-hot encoded.
|
88 |
|
|
always_ff @(posedge clk)
|
89 |
|
|
begin
|
90 |
|
|
if (rst) decrypt_state <= 15'b00000000000001; // Reset to state0
|
91 |
|
|
else
|
92 |
|
|
if (decrypt_state[0])
|
93 |
|
|
begin
|
94 |
|
|
// If both valid roundkey and ciphertext are present, start decryption.
|
95 |
|
|
if (rkey_vld & ct_vld) decrypt_state <= decrypt_state << 1;
|
96 |
|
|
end
|
97 |
|
|
else
|
98 |
|
|
// For all other states, always proceed to next state. Wrap back to
|
99 |
|
|
// state0 at final state
|
100 |
|
|
decrypt_state <= (last_round)? 15'b00000000000001 : decrypt_state << 1;
|
101 |
|
|
end
|
102 |
|
|
|
103 |
|
|
assign last_round = ((klen_sel==2'b00) & decrypt_state[10]) | ((klen_sel==2'b01) & decrypt_state[12]) | ((klen_sel==2'b10) & decrypt_state[14]);
|
104 |
|
|
|
105 |
|
|
// Plaintext is valid right after last round, and stays valid until the start of next decryption.
|
106 |
|
|
always_ff @(posedge clk)
|
107 |
|
|
begin
|
108 |
|
|
if (rst) pt_vld_reg <= 0;
|
109 |
|
|
else
|
110 |
|
|
case (pt_vld_reg)
|
111 |
|
|
1'b0 : if (last_round) pt_vld_reg <= 1;
|
112 |
|
|
1'b1 : if (ct_vld & rkey_vld) pt_vld_reg <= 0;
|
113 |
|
|
endcase
|
114 |
|
|
end
|
115 |
|
|
|
116 |
|
|
assign pt_vld = pt_vld_reg;
|
117 |
|
|
|
118 |
|
|
always_ff @(posedge clk)
|
119 |
|
|
// The output of InvMixColumns() is the intermediate result after each round.
|
120 |
|
|
if (~(decrypt_state[0] & ~(ct_vld & rkey_vld))) State <= inv_mixcol_out;
|
121 |
|
|
|
122 |
|
|
assign pt = State;
|
123 |
|
|
|
124 |
|
|
// Load new ciphertext when state machine in state0 and both
|
125 |
|
|
// valid roundkey and ciphetext are present.
|
126 |
|
|
assign load_new_ct = decrypt_state[0] & rkey_vld & ct_vld;
|
127 |
|
|
|
128 |
|
|
// Bypass InvMixColumns while loading new ciphertext or computing the result for
|
129 |
|
|
// last round.
|
130 |
|
|
assign bypass_inv_mixcol = load_new_ct | last_round;
|
131 |
|
|
|
132 |
|
|
// Ready to accept new ciphertext only when valid round key is present and state machine
|
133 |
|
|
// in state0
|
134 |
|
|
assign ct_rdy = decrypt_state[0] & rkey_vld;
|
135 |
|
|
|
136 |
|
|
// Consume one roundkey if
|
137 |
|
|
// 1). Initial ciphertext and roundkey is present, or
|
138 |
|
|
// 2). state machine not in state0 (decryption in progress already)
|
139 |
|
|
assign next_rkey = ~decrypt_state[0] | (ct_vld & rkey_vld);
|
140 |
|
|
|
141 |
|
|
endmodule
|