An FPGA Implementation of 30Gbps Security Module for GPON Systems
Truong Quang Vinh1, Ju-Hyun Park1, Young-Chul Kim1, Kwang-Ok Kim2
1
Department of Electronics and Computer Engineering, Chonnam National University
300 Yongbong-dong, Buk-gu, Gwangju 500-757, Korea
tqvinh@soc.chonnam.ac.kr
2
Electronics and Telecommunication Research Institute
161 Gajeong-dong, Yuseong-gu, Daejeon, Korea
kwangok@etri.re.kr
Abstract
GPON systems require gigabit throughput data
encryption for security and privacy. This paper
presents an implementation of very high speed security
module for GPON on Virtex4 FPGA. The security
module supports payload encryption with constant
delay by using counter mode AES algorithm. Our
design of AES has three advanced features: composite
field arithmetic SubByte, efficient MixColumn
transformation, and On-the-Fly Key-Scheduling. Full-
pipelined architecture is employed for the AES
architecture in order to achieve the high performance
for security module. The experiment shows that the
proposed architecture can achieve a throughput of
30Gbits/s on a Xilinx Virtex-4 VLX100-12 device. The
performance of our design is well suitable for
encryption applications of GPON systems.
1. Introduction
Recently, GPONs (Gigabit-capable Passive Optical
Networks) are attractive for cost-effective delivery of
high-bandwidth data directly to building, curb, and
home. This creates a strong requirement for access
network to be trustworthy, secure, and reliable.
Therefore, encryption module is an essential part in
GPON systems for protecting broadcast data from
eavesdropping due to the multicast nature of the
GPONs. The ITU-T G.984 document [1] recommends
using the Advanced Encryption Standard (AES) for
payload encryption in GPONs. The National Institute
of Standards and Technology (NIST) defined five
modes of operation of AES [2]. However, only AES
with counter mode (CTR-AES) can be used for GPON
payload encryption. In this paper, we present a GPON
security module using CTR-AES algorithm which is
implemented by a full-pipelined architecture for area
and performance optimization.
For hardware implementation of security module,
there are two critical constrains: performance and
978-1-4244-2358-3/08/$20.00 © 2008 IEEE 868
amount of resource needed. To achieve high
throughput for gigabit links in GPONs, we apply
pipelined architectures for all process blocks of
security module, especially for AES core. The
pipelined architecture for AES can improve the
throughput but it utilizes much area due to duplicated
hardware for implementing 11 rounds. Therefore, some
researchers have proposed several speed-area trade-off
to implement the architectures for AES algorithm. To
optimize the resource for AES implementation,
researchers focus on improving some blocks of the
ciphers. In [8]-[10], efficient implementations of the S-
box are proposed to minimize area and delay. The
architecture of proposed S-box is combination of
SubBytes and Inverse SubBytes transformations,
instead of look-up tables that require much memory. To
enhance key schedule, some authors propose on-the-fly
key expansion that can generate the round keys
concurrently during the encryption or decryption
procedure without extra memory to store the round
keys [8], [9].
This paper explores efficient schemes for designing
the security module in order to achieve the target
performance of GPON systems. Our design employs a
composite field arithmetic architecture for SubByte
transformation. Moreover, we apply sub-pipelined for
this function block to improve the throughput of AES
algorithm. Another part that has improvement is the
key-expander. We propose an area-efficient key
expander which can compute round keys in on-the-fly
manner. Besides, we exploit sub-pipelined architecture
for key expansion block and use optimized set of
registers to store round keys. Our key expander is
suitable for pipelined AES architecture that can start at
the same time with data encryption.
The paper is organized as follows. Section 2
presents the architecture of the GPON security module.
Section 3 describes the hardware implementation of
AES algorithm. The advanced features for AES
hardware implementation are presented in Section 4.
Section 5 presents the implementation results and the
CIT 2008
performance comparisons with different architectures.
In the section 6, we give the conclusion.
2. The architecture of the GPON security
The GPON security module is implemented to
guarantee a secure communication in Tx/Rx link of
GPON. Using the module, the transmission data are
ensured to be confidentiality, integrity, and origin
authenticity of each frame sent and received by the
OLT (Optical Line Termination) / ONT (Optical
Network Termination) [1]. The top structure of the
GPON security module is shown in Fig. 1.
Fig. 1. The top structure of the GPON security module.
a. Port-ID Table: is implemented as 4K 12-bit
registers to store the port identifier. Only frames with
the appropriate Port-ID are encrypted by CTR-AES
core.
b. Security Decoder: generates Crypto counter
with the format: (Inter Frame Count[19:0] & Intra
Frame Count[15:0]) & (Inter Frame Count[29:0] &
Intra Frame Count[15:0]) & (Inter Frame Count[29:0]
& Intra Frame Count[15:0]). It also registers 128-bit
GTC Payload for the Payload Bypass.
c. Key Expander: restores the initial key and
generates round keys for CTR-AES from 128-bit key
input. The total bit number of round_keys is 1408 =
128*(10+1). The shadow key is used if the OLT
require key exchange. The ONT responds by
generating, storing and sending a new key. When the
new key is transferred successfully to OLT, both the
OLT and ONU (Optical Network Unit) begin using the
new key at precisely the same frame boundary.
d. CTR-ARE Core: is the same process of AES
algorithm except input values which is crypto counter.
The crypto counter increases at every 128-bit data
block. 128-bit input blocks are transformed into 128-bit
pseudorandom cipher blocks
e. Payload Bypass: delivers the insecure payload
without an authentication encryption. It has the same
869
delay as encryption time to synchronize with the cipher
GEM payload at the output.
f. Security Encoder: multiplexes the cipher GEM
(G-PON Encapsulation Method) Payloads from Bypass
GEM Payload and Encrypted GEM Payload depending
whether security function is enabled. For the authentic
frames, the encoder performs XORed 128bits
Pseudorandom Cipher block with delayed GEM
payload to generate cipher GEM payload.
The AES algorithm in GPON security module uses
counter mode to encrypt data [2]. In counter mode
encryption, the forward cipher function is invoked on
each counter blocks, and the resulting output blocks are
exclusive-ORed with the corresponding plaintext
blocks to produce the ciphertext blocks. The forward
cipher function is used in both CTR decryption and
CTR encryption. Therefore, only one hardware
implementation is used for both encryption and
decryption. The XORed operation is executed in
security encoder block.
3. AES core implementation
3.1 AES general architecture
The AES algorithm is a symmetric-key cipher, in
which both the sender and the receiver use a single key
for encryption and decryption. In the encryption of the
AES algorithm, each round except the final round
consists of four steps: SubByte, ShiftRow, MixColumn,
and AddRoundKey. The SubByte is nonlinear
transformation, which substitutes each byte of round
data according to a substitution table called SBox. The
ShiftRow step is a circular shifting of bytes in each row
of the round data. The MixColumn transformation
operates on the State column-by-column, treating each
column as a four-term polynomial. The AddRoundKey
can be simply performed by applying exclusive OR to
the round key with the data block. The round keys are
different in every round and are generated by Key
Expansion.
3.2 The full-pipelined architecture for AES
algorithm
In order to achieve very high throughput, we apply
pipeline technique both for outer round and inner round
of AES architecture. For outer round pipelining, the
pipeline registers are placed between the data path
instances of each round. For the inner round pipelining,
we decompose four processes SubByte, ShiftRow,
MixColumn and AddRoundKey into sub-pipelined
stages with equivalent delay. The Fig.2 shows full
pipelined architecture of AES algorithm.
 Among round processes of AES algorithm, the
SubByte phase has the most delay. Therefore, the
number of sub-stages of this block is more than that of
other phases. We implemented two full-pipelined
architectures which have 2-stage sub-pipeline and 5-
stage sub-pipeline for each round process. Thus, the
SubByte block has to be decomposed into 2 stages and
3 stages, respectively. We can achieve a very high
throughput when using 5-stage sub-pipelined for AES
architecture.
Fig. 2. Full-pipelined architecture for AES algorithm.
4. Advanced features for AES Hardware
implementation
This section presents innovative features in AES
hardware implementation. Each sub-block in
encryption process is optimized for area and delay. Our
improvement for AES architecture is focused on
SubByte, MixColumn, and Key Expander block. The
detail hardware implementations for these blocks are
described as follows.
4.1. SubByte transformation
In the SubByte transformation (Sbox), the input is
considered as an element of GF(28). First, the
multiplicative inverse in GF(28) is calculated. Then, an
affine transformation over GF(2) is applied. The
implementation of a SBox can be done by a look-up
table, but it consumes much resource. Nevertheless, we
can implement a SBox using Galios Field operations
[10]. Field arithmetic GF(2 4) is used instead of GF(28)
to optimize area. In this architecture, the input values is
mapped to two elements of GF(2 4). Then, the
multiplicative inverse is calculated using GF(24)
operation. Next, the two GF(24) elements are inverse
mapped to one element in GF(28). Last, the affine
transformation is performed. Although the composite
field implementation of Sbox is very efficient in area, it
suffers from a long critical path. To overcome this
870
drawback, further pipelining can be used. By using the
2-stage pipelined architecture with three 8-bit registers
(Fig.3), the critical path is broken in half. To reduce
more path delay, the 3-stage pipelined architecture can
be also applied (Fig.4).
map
affine
map
-1
Fig. 3. 2-stage pipelined SBox using GF operations.
Fig. 4. 3-stage pipelined SBox using GF operations.
4.2. MixColumn
In MixColumn transformation, the columns of the
State are considered as polynomials over GF(2 8) and
multiplied modulo x4 + 1 with a fixed polynomial c(x )
= ‘03’ x3 + ‘01’ x2 + ‘01’ x + ‘02’. In direct form, the
MixColumn transformation can be expressed as
ìs'0,c = ({02} · s 0,c ) Å ({03} · s1,c ) Å s 2,c Å s 3,c
ïs' = s Å ({02} · s ) Å ({03} · s ) Å s
ï 1,c 0,c 1,c 2, c 3, c (1)
í
s ' = s
ï 2, c 0 ,c Å s1, c Å ({02 } · s 2, c ) Å ({03 } · s 3,c )
ïîs'3,c = ({03} · s 0,c ) Å s1,c Å s 2,c Å ({02} · s 3,c )
Several architectures have been proposed for the
implementation of MixColumn transformation.
Substructure-shared architecture is applied in [4] [6],
[7], [9]. In our implementation, we also use
substructure sharing techniques to implement an
efficient hardware for MixColumn transformation. To
apply this technique, the equation (1) should be
rewritten in an efficient way as
ìs'0, c = {02} · (s 0, c Å s1, c ) Å s1, c Å (s 2, c Å s3,c )
ïs' = {02} · (s Å s ) Å s Å (s Å s )
ï 1, c 1, c 2, c 0, c 2, c 3, c (2)
í
ï s ' 2 , c = {02} · (s 2 , c Å s 3, c ) Å s 3 , c Å (s 0 , c Å s1, c )
ïîs'3, c = {02} · (s 3, c Å s0, c ) Å s 2, c Å (s 0, c Å s1, c )
The equation for MixColumn transformation is now
more symmetrical, and we can apply substructure
sharing to optimize area for hardware implementation.
The {02} constant multiplication is computed by the
function denoted by a = xtime(b). The xtime() function
can be implemented at the byte level as a left shift and
a subsequent conditional bitwise XOR with {1b} if the
most significant of input byte is one (b7 = 1). The
xtime() block can be implemented by 3 2-bit XOR gate.
By using efficient architecture of xtime() and applying
XOR-sharing, the MixColumn transformation can be
implemented as shown in the Fig.5.
Fig. 5. (a) The efficient architecture of the MixColumn.
(b) The implementation of xtime() function.
The total number of gate counts for MixColumn
transformation is 324, which includes 108 2-bit XOR
gates (each XOR gate contains 3 gates).
4.3. Key-Expander
The Key Expansion routine generates a total of 11
round keys from an initial key in 128-bit AES
algorithm. For pipelined AES architecture, all round
keys must be available at the same time. Therefore,
some researchers implemented a key expansion routine
to compute a round key, and duplicate this hardware 10
times for total 10 rounds [4], [5]. These architectures
can calculate all round keys at the same time, but they
consume much area. Some other researchers propose
method to reduce Xinmiao Zhang [9] has proposed key
expander that can operate in on-the-fly manner. The
data encryption and the key expansion can start
simultaneously. Inherited from that architecture, we
implement an area-efficient key expander which also
can compute round key in on-the-fly manner. In order
to operate synchronously with the sub-pipelined round
process, the key expander is divided into r sub-stages.
We use 11 registers to store 11 round keys. It is
different from the architecture of the key expansion in
[9], in which the author used r sets of registers all
round keys and temporary values for sub-pipelined
stage. By this scheme, we can reduce more area than
the previous architecture. The sub-pipelined
architecture for on-the-fly key expander with 3 sub-
stage (r=3) is shown in Fig.6.
Since round keys are generated on the fly, the
number of sub-pipelined stages for key expansion must
be the same with the number of encryption sub-stages.
871
After r clock cycles, a new round key is generated, so
all the round keys are available after (r×Nr) +1 clock
cycles.
reg
reg
reg
reg
reg
reg
reg
reg
Roundkey(Nr)
Roundkey(0)
Roundkey(1)
Roundkey(2)
Roundkey(3)
Fig.6. The architecture of on-the-fly key expander.
5. Performance results and comparisons
We implemented the GPON security module with
full-pipelined architecture of 128-bit CTR-AES on
Virtex-4 VLX100-12. Xilinx ISE 8.2i was used to
synthesize the design and provided post-placement
timing results. For simulation, we used ModelSim 5.8c
to verify the encrypt/decrypt operations. We evaluated
the hardware cost in terms of BRAMs, slices,
maximum frequency and throughput.
We implemented two full-pipelined architectures of
AES core which have 3 sub-pipelined stages (r=3) and
5 sub-pipelined stages (r=5). The 3-stage sub-pipelined
design has total 31 stages (r×10 + 1). Thus, after 31
clock cycles, the corresponding cipher text blocks will
appear every clock cycle. By using this architecture, we
can achieve the throughput of 26.7Gbits/s. The 5-stage
sub-pipelined design has higher performance than the
3-stage sub-pipelined design. However, this design
consumes more area for pipeline registers and takes
more clock cycles for round processes. The table 1
shows the comparison between existed AES
implementations and our implementation. Since
previous architectures have been implemented on
VirtexE device, we also choose Xilinx VirtexE-family
device beside Virtex4 for our design in order to
compare the result fairly. According to the experiment
result, the designs in [3]-[5] have less performance
because they just use outer-pipeline architecture. In the
implementations of [7] and [9], the authors improve the
throughput by applying sub-pipeline architectures.
Nevertheless, these designs require more slices for
extra hardware. In term of throughput/slice, our
implementation is more efficient than the published
approaches. The result of synthesized report shows that
our design with 5-stage sub-pipelined architecture can
achieve throughput of 31.6 Gbits/s.
 Table 1. Comparison of FPGA implementation of the AES algorithm
Design Device Frequency Throughput slices BRAMs Mbps/slice
(MHz) (Mbps)
Shuenn-Shyang [3] XCV1000e-8 125.38 1604 1857 0 0.867
Jae-Gon Lee [4] XCV3200e-8 40 5120 8009 104 0.639
Saqib, N.A. [5] XCV812e-8 20.192 2584 2744 0 0.942
Jarvinen [7] XCV1000e-8 129.2 16500 11719 0 1.408
Xinmiao Zhang (r=3) [9] XCV812e-8 93.5 11965 9406 0 1.272
Xinmiao Zhang (r=7) [9] XCV1000e-8 168.4 21556 11022 0 1.956
Our AES core design (r=3) XCV1000e-8 91.1 11661 8914 0 1.308
Our AES core design (r=5) XCV1000e-8 150.25 19232 9820 0 1.958
Our AES core design (r=3) XC4VLX100-12 208.49 26686 9478 0 2.816
Our AES core design (r=5) XC4VLX100-12 247.19 31640 9904 0 3.195

The whole architecture of GPON security including
AES core are synthesized on Xilinx Virtex-4 VXL100-
12. The some extra resource is needed for security
decoder, security encoder, and payload bypass.
Therefore, the total areas for the security module with
AES core (r=3) and AES core (r=5) are 11958 slices,
and 13384 slices, respectively.
6. Conclusions
We presented a FPGA implementation of the high
speed GPON security module using counter mode AES
algorithm. Our design has three main efficient features:
composite field arithmetic SubByte, area-efficient
MixColumn, and on-the-fly sub-pipelined Key-
Expander. By using these improvement features, our
design has optimal area and maximum throughput. For
full-pipelined architecture with 51 stages, we can
achieve throughput of 30 Gbits/s on Virtex4 VLX100
device. Our implementation is well suitable for
encryption applications of GPON systems.
Acknowledgement
This research was financially supported by the
Electronics and Telecommunication Research Institute
(ETRI) in Korea. The CAD tools for design in this
work were supported by IDEC.
[4] Jae-Gon Lee, Woong Hwangbo, Seonpil Kim, Chong-Min Kyung,
“Top-down implementation of pipelined AES cipher and its
verification with FPGA-based simulation accelerator”, Proceedings
of 6th International Conference on ASIC , pp. 68-72, Oct. 2005.
[5] Saqib, N.A., Rodriguez-Henriquez, F., Diaz-Perez, A., “AES
algorithm implementation - an efficient approach for sequential and
pipeline architectures”, Proceedings of the Fourth Mexican
International Conference on Computer Science , pp. 126-130, Sept.
2003.
[6] Nedjah, N., de Macedo Mourelle, L., Cardoso, M.P., “A
Compact Pipelined Hardware Implementation of the AES-128
Cipher”, Third International Conference on Information
Technology: New Generations , pp. 216-221, April 2006.
[7] Yongzhi Fu, Lin Hao, Xuejie Zhang, Rujin Yang, “Design of an
extremely high performance counter mode AES reconfigurable
processor”, Second International Conference on Embedded
Software and Systems, Dec. 2005.
[8] Hodjat, A., Verbauwhede, I., “Area-throughput trade-offs for
fully pipelined 30 to 70 Gbits/s AES processors”, IEEE Transactions
on Computers, vol. 55, no. 4, pp. 366-372, April 2006.
[9] Xinmiao Zhang, Parhi, K.K., “High-speed VLSI architectures for
the AES algorithm”, IEEE Transactions on Very Large Scale
Integration (VLSI) Systems, vol. 12, no. 9, pp. 957-967, Sept. 2004.
[10] J. Wolkerstorfer, E. Oswald, and M. Lamberger, “An ASIC
Implementation of the AES Sboxes”, Proceeding of RSA Conference ,
pp.29-52, Feb. 2002.

References
[1] “Gigabit-capable Passive Optical Networks (G-PON):
Transmission convergence layer specification”, ITU-T G.984.3
Amendment 1, July. 2005.
[2] Morris Dworkin, “Recommendation for Block Cipher Modes of
Operation”, NIST Special Publication , http://csrc.nist.gov/
CryptoToolkit/modes/, 2001.
[3] Shuenn-Shyang Wang, Wan-Sheng Ni, “An efficient FPGA
implementation of advanced encryption standard algorithm”,
Proceedings of the International Symposium on Circuits and
Systems, vol. 2, pp. 597-600, May 2004.

872