|
|
FONT RESIZE |
Hardware
Technology Overview
Elliptic has developed the industry's broadest portfolio of security IP through a structured, rigorous development program that offers customers the ability to precisely specify the performance and configuration (cipher and hash mode)s required for the standards under consideration as well as gate count and memory goals required for the target application. There are several aspects that guide Elliptic's hardware development methodology including:
|
|
|
|
Configurability
Elliptic initially develops its security cores starting with either a look-aside or in-line primitive which permits the designer to verify the algorithm directly. By building the interface compliant to an internal standard the core can then be used in either of the two platforms - SASPA and SPAcc. SASPA is the Symmetric and Asymmetric Security Performance Accelerator and it is designed to collect a number of security cores under a common look-aside slave bus interface such as a AMBA/AHB. Designers can request any combination of cipher and hash cores be configured behind the AMBA interface. In many cases there are also performance options for cores which improve the bit/cycle capacity of the engine. Designers can also request the inclusion of the CLP-300 Public Key Accelerator or the CLP-27 True Random Number Generator should these functions be required for the target application. As the SASPA is targeted at medium performance, and cost constrained applications, the core is designed to use a single memory block which will store messages and contexts. SASPA class engines are used for applications such as content protection, IPsec, SSL and wireless designs.
 |
Sample Algorithm Options
|
Sample Engine Options
|
Should a higher performance solution be required, customers can consider the SPAcc architecture. SPAcc is a short form for Security Protocol Accelerator and it has many compelling features. Like the SASPA, customers can configure multiple cipher and hash cores into the design. The interface consists of both a master AMBA/AHB interface for message traffic as well as a AMBA/AHB interface for control and configuration. The master interface has a multi-home DMA controller which has scatter/gather capability and operates through pointers provided to the engine by the software system. To support interrupt coalescence, the engine has configurable command and status FIFOs on the control interface which allow multiple commands to be loaded and queued in the status FIFO to a certain depth prior to triggering an interrupt. This feature is extremely important when small packet traffic is part of the requirement.
 |
Sample Algorithm Options
|
Sample Engine Options
|
Quality
The Elliptic hardware team has developed sophisticated system-on-chip designs in fabless semiconductor companies prior to joining the company. As such, they understand the complete SoC development cycle from concept through final device verification. To complement the skills in the team, a rigorous development process has been developed and has been approved through under ISO9000:2008. An important element of the quality process is the verification of the IP engine specified by the customer. Verification is a multi-step process at Elliptic which begins with verification of the crypto primitive (e.g. AES, 3DES, SHA) through a combination of third party test labs for compliance with the NIST Cryptographic Algorithm Validation Program (CAVP) combined with a comprehensive internal test suite developed by Elliptic. The Elliptic CAVP certificates are available through the links page on the web site. Once the individual algorithm has been verified, the final engine (which may be a collection of crypto algorithms behind a common AMBA bus for example) is then verified rigorously with EDA simulation tools then finally in the lab on Elliptic evaluation cards.
Performance
The graph below illustrates Elliptic's push for higher performance solutions. The CLP-30 Pipelined IPsec engine is the flagship product in terms of performance and features. It allows designers to achieve multi-Gbps IPsec through multiple pipelines combined with multiple AMBA/AHB master ports. It is also possible to dedicate an AMBA master for security association (SA) traffic and on-chip SA caches if required. The chart illustrates what can be achieved with the CLP-30 and compares this with the SASPA and SPAcc engines from an overall system performance perspective. System level performance is the ultimate metric as there are multiple contributors to the final system capability - the crypto engine, bus or busses and software. Since Elliptic has both hardware and software capabilities, it is uniquely positioned to help customers understand and ultimately achieve the overall performance objectives for the SoC or FPGA design under development. Companies that simply code cipher cores are unable to understand these trade-offs and can often mislead as to what the final performance will be when the system design is completed.
Productivity
Elliptic has built its tool flow to enhance the quality of its deliverables even in the situation where each core is configured to the specific requirements of each customer. This has come through automation of the verification environment. In situations where customers try to achieve the highest performance levels, Elliptic relies on Cadence RTL Compiler in PLE (Physical Layout Emulation) mode to closely approximate the post-layout performance of its engines. The goal is to ensure there are no surprises as customers integrate the engines into their back-end place and route flow.
