Analysis and implementation of statistical cipher feedback mode and optimized cipher feedback mode by Yang, Fang
CENTRE FOR NEWFOUNDLAND STUDIES 
TOTAL OF 10 PAGES ONLY 
MAY BE XEROXED 
!Without Author's Permission) 
lJiil' 
' ·-' ' •Mill·· f. 

ANALYSIS AND IMPLEMENTATION OF 
STATISTICAL CIPHER FEEDBACK 
MODE AND OPTIMIZED CIPHER 
FEEDBACK MODE 
St. John's 
by 
Fang Yang, B.Eng. 
A thesis submitted to the 
School of Graduate Studies 
in partial fulfilment of the 
requirements for the degree of 
Master 
Faculty of Engineering and Applied Science 
Memorial University of Newfoundland 
January 2004 
Newfoundland Canada 
1+1 Library and Archives Canada Bibliotheque et Archives Canada 
Published Heritage 
Branch 
Direction du 
Patrimoine de !'edition 
395 Wellington Street 
Ottawa ON K1A ON4 
Canada 
395, rue Wellington 
Ottawa ON K1A ON4 
Canada 
NOTICE: 
The author has granted a non-
exclusive license allowing Library 
and Archives Canada to reproduce, 
publish, archive, preserve, conserve, 
communicate to the public by 
telecommunication or on the Internet, 
loan, distribute and sell theses 
worldwide, for commercial or non-
commercial purposes, in microform, 
paper, electronic and/or any other 
formats. 
The author retains copyright 
ownership and moral rights in 
this thesis. Neither the thesis 
nor substantial extracts from it 
may be printed or otherwise 
reproduced without the author's 
permission. 
In compliance with the Canadian 
Privacy Act some supporting 
forms may have been removed 
from this thesis. 
While these forms may be included 
in the document page count, 
their removal does not represent 
any loss of content from the 
thesis. 
• •• Canada 
AVIS: 
Your file Votre reference 
ISBN: 0-494-09932-1 
Our file Notre reference 
ISBN: 0-494-09932-1 
L'auteur a accorde une licence non exclusive 
permettant a Ia Bibliotheque et Archives 
Canada de reproduire, publier, archiver, 
sauvegarder, conserver, transmettre au public 
par telecommunication ou par I' Internet, preter, 
distribuer et vendre des theses partout dans 
le monde, a des fins commerciales ou autres, 
sur support microforme, papier, electronique 
et/ou autres formats. 
L'auteur conserve Ia propriete du droit d'auteur 
et des droits meraux qui protege cette these. 
Ni Ia these ni des extraits substantiels de 
celle-ci ne doivent etre imprimes ou autrement 
reproduits sans son autorisation. 
Conformement a Ia loi canadienne 
sur Ia protection de Ia vie privee, 
quelques formulaires secondaires 
ont ete enleves de cette these. 
Bien que ces formulaires 
aient inclus dans Ia pagination, 
il n'y aura aucun contenu manquant. 
Dedication 
To My Dearest Father, Mother, Sister, and Cheng 
Abstract 
In this thesis, two recently proposed modes of operation for block ciphers, 
referred to as statistical cipher feedback (SCFB) mode and optimized cipher feedback 
(OCFB) mode, are investigated. Both cipher modes can achieve the capability of self-
synchronization to recover from bit slips or insertions in the communication channel 
automatically. Compared to CFB mode, both cipher modes can obtain higher efficiency 
with modest buffer size and reasonable latency. Hence, both modes can be applied to 
high-speed digital hardware implementation and they have been identified as being 
suitable for physical layer security for applications such as SONET/SDH. 
In this thesis, both modes are implemented in software and hardware. In 
particular, the hardware structure and method of hardware implementation are 
investigated. Parallel and serial transfers are applied to the hardware implementation of 
SCFB mode and OCFB mode, respectively. Very High Speed Integrated Circuit 
Description Language (VHDL) and LSI design with 0.18 CMOS technology supported 
by Canadian Microelectronics Corporations (CMC) are used in the process of hardware 
implementation. The hardware structures of both modes are synthesized by using 
Synopsis tools provided by CMC as well. 
In addition, the performances of both modes are analyzed with respect to 
characteristics such as the theoretical efficiency, synchronization recovery delay, and the 
error propagation factor. Furthermore, the relationship between efficiency, probability of 
I 
queue overflow, and buffer size is investigated. It is definite that both of modes can 
obtain higher efficiency than cipher feedback mode. OCFB mode performs marginally 
better with respect to error propagation and synchronization recovery delay in some 
circumstances. SCFB mode is able to achieve higher efficiency with a given buffer size 
and probability of buffer overflow in an efficient hardware implementation. Similarly, for 
a given efficiency and buffer size, SCFB mode has a lower probability of buffer overflow 
than OCFB mode. In fact, while for SCFB it is possible to guarantee no overflow with 
50% efficiency and a buffer size equal to the block size, it is not possible to guarantee no 
overflow for efficiencies that are much less than 50% for OCFB mode. These results 
imply that SCFB is a mode more suitable for high speed physical layer security than 
OCFB mode. 
II 
Acknowledgement 
I sincerely thank my supervisor Dr. Howard Heys for his guidance and support 
throughout my master's study. Numerous meetings and discussion with you are the 
important step to complete my study. Your precious attitude to questions and patience 
impresses me very much. 
This is also a chance to thank members of the Computer Engineering Research 
Laboratories (CERL) that provided a friendly and resourceful environment for my 
research. Thanks especially to Reza Shahidi who helped me to solve many computer 
problems I came across. As well, I would like to thank my friends, Lu Xiao, Janaka 
Deepakumara, Zhiwei An, Padmini Vellore, and many friends whose names are not 
mentioned. 
I genuinely thank my father, Hongkui Yang, mother, Guoyu Fu, and sister, Li 
Yang, for their continuous encouragement and support. In these two years of my Master's 
study, my dearest sister had gotten cancer and did not have a chance to say goodbye to 
me in order to let me concentrate on my studies. My parents had endured anguish on the 
loss of my sister and kept it secret from me for one year. I can't imagine I could finish the 
research if I had known this sad news at the beginning. I wish my sister could know I so 
love her and miss her. 
I also have to honestly thank my dearest husband, Cheng Li, for all his love, care, 
encouragement, and suggestion. He is always my strongest supporter. When I feel tired, 
he gives his shoulder to let me have a rest. When I meet some problems, he is my best 
advisor. When I feel depressed, he encourages me and gives me strength. Words can't 
express my gratitude to your love. I am so rich with your care and love. I dedicate my 
thesis to you. 
III 
Table of Contents 
ABSTRACT ....................................................................................................................... I 
ACKN"OWLEDGEMENT ............................................................................................. III 
TABLE OF CONTENTS ................................................................................................ IV 
LIST OF FIGURES .................................................................................................... VIII 
LIST OF TABLES .......................................................................................................... XI 
NOTATION AND LIST OF ABBREVIATIONS ...................................................... XII 
CHAPTER 1 INTRODUCTION ................................................................................. ! 
1.1 MOTIVATION .................................................................................................... 2 
1.2 OBJECTIVE OF THE THESIS ................................................................................ 2 
1.3 THESIS OUTLINE .............................................................................................. 3 
CHAPTER 2 BACKGROUND OF RESEARCH ...................................................... 5 
2.1 SYMl'viETRIC ENCRYPTION SYSTEMS ................................................................. 5 
2.2 STREAM CIPHERS AND BLOCK CIPHERS ........................................................... 6 
2.3 CONVENTIONAL MODES OF OPERATION .......................................................... 8 
2.4 OTHER MODES OF OPERATION ....................................................................... 13 
2.5 ADVANCED ENCRYPTION STANDARD (AES) .................................................. 14 
CHAPTER 3 DESIGN AND IMPLEMENTATION ENVIRONMENT •.............. 17 
3.1 SOFfW ARE VS. HARDWARE IMPLEMENTATION .............................................. 17 
3.2 DESIGNME1110DOLOGY ................................................................................. 18 
3.3 DESIGN FLOW, FUNCTIONAL TEST AND VERIFICATION .................................. 20 
CHAPTER 4 STATISTICAL CIPHER FEEDBACK (SCFB) MODE ............•.... 24 
4.1 INTRODUCTION TO SCFB MODE .................................................................... 24 
IV 
4.2 IMPLENIENTATION OF SCFB MODE ................................................................ 26 
4.2.1 Software Implementation ....................................................................... 26 
4.2.2 Hardware Implementation ...................................................................... 28 
4.2.2.1 Top-down Hardware Design of SCFB Mode .................................... 28 
4.2.2.2 Parallel Transfer vs. Serial Transfer .................................................. 30 
4.2.2.3 Implementation Structure of an SCFB System ................................. 31 
4.2.2.4 Discussion on Queuing ...................................................................... 33 
4.2.2.5 Bottom-up Hardware Implementation .............................................. 34 
4.2.2.6 Test Methodology ............................................................................. 49 
4.2.2. 7 Complexity of Hardware Implementation ......................................... 49 
4.2.3 Discussion of Other Structures ............................................................... 50 
4.3 CONCLUSION .................................................................................................. 50 
CHAPTER 5 OPTIMIZED CIPHER FEEDBACK (OCFB) MODE .................... 52 
5.1 INTRODUCTION OF OCFB MODE .................................................................... 53 
5.2 IMPLENIENTATION OF OCFB MODE ................................................................ 54 
5.2.1 Software Implementation ....................................................................... 54 
5.2.2 Hardware Implementation ...................................................................... 56 
5.2.2.1 Top-down Hardware Design of the OCFB Mode ............................. 56 
5.2.2.2 Discussion on Queuing ...................................................................... 60 
5.2.2.3 Discussion on Timing Characteristics of Implementation ................ 61 
5.2.2.4 Bottom-up Hardware Implementation .............................................. 65 
5.2.2.5 Test Methodology ............................................................................. 74 
5.2.2.6 Complexity of Hardware Implementation ......................................... 74 
5.2.2.7 Discussion on other structures ........................................................... 75 
5.3 CONCLUSION .................................................................................................. 76 
v 
CHAPTER 6 PERFORMANCE ANALYSIS OF SCFB AND OCFB MODES ... 77 
6.1 BASIC PARAMETERS OF PERFORMANCE ANALYSIS ........................................ 77 
6.2 PERFORMANCE ANALYSIS OF SCFB MODE .................................................... 78 
6.2.1 Theoretical efficiency ............................................................................. 79 
6.2.2 SRD ........................................................................................................ 81 
6.2.3 EPF ......................................................................................................... 82 
6.2.4 Practical Efficiency of SCFB Mode ....................................................... 83 
6.2.5 The Relationship Between Buffer Size and the Overflow Probability .. 85 
6.2.6 The Relationship Between Encryption Efficiency and the Overflow 
Probability .............................................................................................. 86 
6.3 PERFORMANCE ANALYSIS OF OCFB MODE ................................................... 86 
6.3.1 Theoretical Efficiency ............................................................................ 86 
6.3.2 SRD ........................................................................................................ 89 
6.3.3 EPF ......................................................................................................... 90 
6.3.4 Practical Efficiency of OCFB Mode ...................................................... 92 
6.3.5 The Relationship Between Buffer Size and the Probability of Overflow 
.................................................................................... 93 
6.3.6 The Relationship Between Encryption Efficiency and Probability of 
Overflow ................................................................................................. 94 
6.4 PERFORMANCE COMPARISON BETWEEN SCFB MODE AND OCFB MODE ..... 95 
6.4.1 SRD ........................................................................................................ 95 
6.4.2 EPF ......................................................................................................... 96 
6.4.3 The Relationships Between Probabilities of Overflow and Buffer Size 97 
6.4.4 The Relationship Between Probability of Overflow and Efficiency ...... 99 
6.5 CONCLUSION ................................................................................................ 100 
VI 
CHAPTER 7 CONCLUSIONS AND FUTURE WORK ....................................... 102 
7.1 SUJ\1MAR Y OF THE RESEARCH ...................................................................... 102 
7.2 SUGGESTION FOR FUTURE WORK .................................................................. 105 
REFERENCES .............................................................................................................. 106 
APPENDIX A WAVEFORMS OF THE HARDWARE IMPLEMENTATION OF 
SCFB MODE ..................................................................................................... 108 
APPENDIX B WAVEFORMS OF THE HARDWARE IMPLEMENTATION OF 
OCFB MODE .................................................................................................... 121 
VII 
List of Figures 
Figure 2.1 Conventional encryption models ....................................................................... 6 
Figure 2.2 ECB mode .......................................................................................................... 9 
Figure 2.3 CBC mode ........................................................................................................ 10 
Figure 2.4 CFB mode ........................................................................................................ 11 
Figure 2.5 OFB mode ........................................................................................................ 12 
Figure 3.1 A digital system design process ....................................................................... 19 
Figure 3.2 Top-down design and bottom-up implementation ........................................... 20 
Figure 3.3 Design flow recommended by CMC ............................................................... 23 
Figure 4.1 SCFB system ................................................................................................... 25 
Figure 4.2 Flow chart of SCFB system ............................................................................. 27 
Figure 4.3 General diagram of SCFB system ................................................................... 28 
Figure 4.4 Port relationships of the encryption system ..................................................... 29 
Figure 4.5 Block diagram of the encryption system ......................................................... 29 
Figure 4.6 Structure of the encryption system .................................................................. 32 
Figure 4.7 Hardware structure of the plaintext subsystem ................................................ 37 
Figure 4.8 Hardware structure of the ciphertext subsystem .............................................. 39 
Figure 4.9 Hardware structure of key generation part ...................................................... 39 
Figure 4.10 State machine of the controller of the keystream subsystem ......................... 41 
Figure 4.11 Hardware structure of the scan part of the keystream subsystem ................. .44 
Figure 4.12 Simulation waveform of the encryption system ............................................ 45 
Figure 4.13 Simulation waveform of the encryption system ............................................ 46 
Figure 4.14 Simulation waveform of the encryption system ............................................ 47 
Figure 5.1 OCFB system ................................................................................................... 54 
VIII 
Figure 5.2 Flow chart of OCFB system ............................................................................ 55 
Figure 5.3 Port relationships of the encryption system ..................................................... 57 
Figure 5.4 Block diagram of the encryption system ......................................................... 57 
Figure 5.5 Structure of the encryption system .................................................................. 59 
Figure 5.6 Timing relationships between PQ, CQ, keystream .......................................... 64 
Figure 5. 7 Structure of the plaintext queue ....................................................................... 66 
Figure 5.8 Structure of the ciphertext queue ..................................................................... 66 
Figure 5.9 Hardware structure of the keystream subsystem ............................................. 67 
Figure 5.10 Simulation waveform of the encryption system ............................................ 69 
Figure 5.11 Simulation waveform of the encryption system ............................................ 70 
Figure 5.12 Simulation waveform of the encryption system ............................................ 71 
Figure 5.13 Simulation waveform of the encryption system ............................................ 72 
Figure 5.14 Simulation waveform of the encryption system ........................................... 73 
Figure 6.1 Synchronization cycle ...................................................................................... 79 
Figure 6.2 Theoretical efficiency vs. sync pattern size ..................................................... 82 
Figure 6.3 Synchronization recovery delay vs. sync pattern size with B = 128 ............... 84 
Figure 6.4 Error propagation factor vs. sync. pattern size with B = 128 .......................... 84 
Figure 6.5 Probability of overflow vs. buffer size with Rijndael.. .................................... 85 
Figure 6.6 Probability of overflow vs. efficiency with Rijndael.. ..................................... 87 
Figure 6.7 Synchronization cycle of OCFB mode ............................................................ 87 
Figure 6.8 Theoretical efficiency vs. sync pattern size ..................................................... 89 
Figure 6.9 Sync Recovery Delay vs. Sync Pattern Size (B=128) ..................................... 90 
Figure 6.10 Error propagation factor vs. sync pattern size with B = 128 ......................... 92 
Figure 6.11 Probability of overflow vs. buffer size with Rijndael.. .................................. 93 
Figure 6.12 Probability of overflow vs. efficiency with B = 128 ..................................... 94 
IX 
Figure 6.13 Sync recovery delay vs. sync pattern size with B = 128 ............................... 96 
Figure 6.14 Error propagation factor vs. sync pattern size with B = 128 ......................... 97 
Figure 6.15 Probability of overflow vs. buffer size with full-queue efficiency= 50% .... 97 
Figure 6.16 Probability of overflow vs. buffer size with full-queue efficiency= 78.10%98 
Figure 6.17 Probability of overflow vs. buffer size with full-queue efficiency= 84.40%98 
Figure 6.18 Probability of overflow vs. buffer size with full-queue efficiency= 90.60%98 
Figure 6.19 Probability of overflow vs. full-queue efficiency with B = 192 .................. 100 
Figure 6.20 Probability of overflow vs. full-queue efficiency with B = 224 .................. 100 
Figure 6.21 Probability of overflow vs. full-queue efficiency with B = 256 .................. 100 
X 
List of Tables 
Table 4.1 Hardware complexity of the encryption system of SCFB mode ....................... 51 
Table 5.1 Hardware complexity of the encryption system of OCFB mode ...................... 75 
XI 
Notation and List of Abbreviations 
n 
B 
k 
M 
d 
R 
R' 
Re 
T 
T' 
Te 
m 
1J 
p(k) 
E(k) 
fl 
eft 
QoS 
DES 
AES 
CAD 
:The length of sync pattern 
: The length of a block 
: The length of data bit between the previous sync pattern and the 
next sync pattern in ciphertext 
: The size of queue 
: The number of data in the queue 
: The rate of incoming data of plaintext queue 
: The rate of outgoing data of plaintext queue 
: The operating rate of the block cipher 
: The collection time of one block of plaintext data 
: The leaving time of one block of plaintext data 
: The operating time of one block of data for the block cipher 
: The number of data less than or equal to the length of a block 
: The theoretical efficiency 
: The probability of k 
: The expectation of k 
: The expect synchronization cycle size 
: The practical efficiency 
: Quality of Service 
: Data Encryption Standard 
: Advanced encryption Standard 
: Computer Aided Design 
XII 
ASIC 
SCFB 
OCFB 
NIST 
XOR 
IV 
ECB 
CBC 
CFB 
OFB 
CTR 
sv 
PCBC 
VLSI 
DRC 
HDL 
VHSIC 
VHDL 
IC 
CMC 
SPLD 
CPLD 
FPGA 
FPIC 
DFT 
: Application-Specific Integrated Circuit 
: Statistical Cipher Feedback 
:Optimized Cipher Feedback 
:National Institute of Standards and Technology 
: Exclusive-or 
: Initialization Vector 
: Electronic Code Book 
:Cipher Block Chaining 
: Cipher Feedback 
: Output Feedback 
: Counter mode 
: State Vector 
: Propagation Cipher Feedback 
: Very Large Scale Integration 
: Design Rule Checking 
: Hardware Description Language 
:Very High Speed Integrated Circuit 
: VHSIC Hardware Description Language 
: Integrated Circuit 
: Canadian Microelectronics Corporation 
: Simple Programmable Logic Devices 
: Complex Programmable Logic Devices 
: Field Programmable Gate Arrays 
: Field Programmable InterConnect 
:Design For Testability 
XIII 
PDP : Physical Design Planner 
LVS : Layout-Versus-Schematic 
PQ : Plaintext queue 
CQ : Ciphertext queue 
IVQ :IV queue 
SRD : Synchronization Recovery Delay 
EPF : Error Propagation Factor 
XIV 
Chapter 1 
Introduction 
Information security is an old science which can be traced back several centuries. 
The sender tries to hide information in order that it can reach the receiver safely without 
being recognized by the enemy. In many ways, cryptography can be seen as a war 
without the smoke of gunpowder. 
The main task of information security is to ensure the security of information 
during the process of transmission. Three key criteria mentioned in information security 
are confidentiality, integrity, and authentication. The confidentiality of the information 
means that only authorized access is allowed and unauthorized access is prevented. It 
guarantees that the information is hidden from the unauthorized users. The integrity of 
information ensures that the information transferred is original and not modified. The 
authentication of information ensures that the information is not processed during the 
transmission and both of the transmitter and the receiver are correct. It prevents the 
storage and the processing of information and a third party masquerading as one of the 
two parties. 
The use of cryptographic systems offers the highest level of security together with 
maximum flexibility. A cryptographic system includes an encryption system and a 
decryption system. The encryption system utilizes algorithms and keys to convert the 
original meaningful data into the nonsense data. If the modified information is obtained 
1 
or accessed by an unauthorized user, it cannot be figured out without the knowledge of 
algorithms and keys. In reality, the algorithms are usually published, but the keys are kept 
secret. The security of keys decides the security of information. Hence, it is no doubt that 
a cryptographic system can offer the information security by correct management and 
implementation. 
1.1 Motivation 
Today, the development and application of high quality and high-speed networks 
makes bandwidth capability and data confidentiality more and more important. Suitable 
modes of operation not only protect the data but also have the ability to maximize the use 
of network bandwidth. This thesis will focus on the studies of two recently proposed 
modes of operation, referred to as statistical cipher feedback (SCFB) mode and optimized 
cipher feedback (OCFB) mode, which can not only obtain the ability of self-
synchronization, but also have high efficiency compared to cipher feedback (CFB) mode. 
The ability to implement these modes for high-speed networks is also investigated. 
1.2 Objective of the Thesis 
The objective of the thesis firstly focuses on the hardware implementation of 
SCFB mode and OCFB mode. Hardware structure and the implementation method are 
discussed. The relative hardware characteristics with respect to the buffer size, 
probability of queue overflow, and the implementation efficiency are investigated. 
2 
The second objective of the thesis is to performance analysis on theoretical 
efficiency, error propagation delay, synchronization recovery delay and the relationships 
between buffer size, efficiency, and buffer overflow. 
By the analysis and comparison of hardware and performance, the conclusion of 
which mode is more suitable for high speed networks can be drawn. 
1.3 Thesis Outline 
This thesis includes seven chapters. Chapter 1 is the introduction part. Chapter 2 
provides the background related to the research. In this chapter, conventional modes of 
operation for the Data Encryption Standard (DES) [1] are discussed and the performances 
are analyzed in detail. Advanced Encryption Standard (AES) [2] algorithm is also 
provided as it is currently the most important block cipher. 
Chapter 3 explains the environment for the design and the use of Computer Aided 
(CAD) tools used for hardware implementation in detail. This chapter also describes the 
processes of how to make a chip or board from an idea or an algorithm. 
Chapter 4 introduces the algorithm of SCFB mode and considers the 
implementation of SCFB mode in hardware. The hardware characteristics with respect to 
the requirement on buffer size, the complexity, and timing analysis are discussed. 
Chapter 5 introduces the algorithm of OCFB mode and considers the 
implementation of OCFB mode in hardware. Again, the hardware characteristics with 
3 
respect to the requirement on buffer size, the complexity, and timing analysis are 
discussed. 
Chapter 6 analyzes the performance of SCFB mode and OCFB mode with respect 
to theoretical efficiency, synchronization recover delay, error propagation factor, and the 
relationship among buffer size, full-queue efficiency, and probability of overflow. 
Comparisons of these properties between SCFB mode and OCFB mode are then 
provided. 
Finally chapter 7 will draw a conclusion for this thesis and suggest some future 
work. 
4 
Chapter 2 
Background of Research 
This chapter introduces the background material for the research and provides a 
view of previous work. In general, an operational mode is needed to realize an 
encryption/decryption system. The mode of operation which is selected has a great 
influence on the security and the efficiency of system implementation. Therefore, it is 
significant to study the modes of operation. 
Besides the introduction of the modes of operation, the Rijndael algorithm which 
was announced as the Advanced Encryption Standard (AES) by the National Institute of 
Standards and Technology (NIST) recently is explained in this chapter. 
2.1 Symmetric Encryption Systems 
Conventional encryption, also referred to as symmetric encryption, is an 
encryption technology which uses the same key at the transmitter and receiver to encrypt 
and decrypt the message. Figure 2.1 illustrates the conventional encryption process [3]. 
The encryption system converts the original meaningful data, referred to as plaintext, into 
the nonsense data, referred to as ciphertext. The process of conversion combines the 
secret key shared by the transmitter and the receiver with a certain algorithm to produce 
the ciphertext. The secret key is independent of the plaintext. The ciphertext is sent into 
5 
the communication channel and collected by the receiver. The receiver then uses a 
decryption algorithm with the same key to decrypt the ciphertext to recover the plaintext. 
Secret key shared by Secret key shared by 
transmitter and receiver transmitter and receiver 
-- --
--
® ® 
--
-- --
-- Communication --
-- --
channel 
Plaintext Encryption algorithm Decryption algorithm Plaintext 
Figure 2.1 Conventional encryption models 
2.2 Stream Ciphers and Block Ciphers 
Block ciphers and stream ciphers are two important classes of encryption 
algorithms. A block cipher is a scheme which encrypts a fixed length of plaintext as a 
whole to produce the same length of ciphertext. The same plaintext produces the same 
output if the same key is provided. The benefit of the usage of fixed length of the block is 
its ease of implementation in software. Furthermore, it enables the incorporation of the 
encryption scheme into existing protocols or hardware components. A bit error in a block 
will cause a whole block error in the recovered plaintext. 
In contrast to the block cipher, a stream cipher [4] is an algorithm in which 
plaintext is encrypted bit-by-bit or symbol-by-symbol to produce the corresponding 
ciphertext. A stream cipher usually generates a pseudo random keystream to exclusive-or 
6 
(XOR) with plaintext to produce ciphertext. The output of a stream cipher is varied 
relative to the plaintext depending on the pseudo random keystream during the encryption 
process. Stream ciphers have relatively simple circuits and faster encryption speed in 
hardware compared with the block ciphers. Therefore, a stream cipher is suitable for 
high-speed networks or the physical layer in a communication channel. In addition, 
stream ciphers can have the significant property of no error propagation. A single bit of 
ciphertext error results in a single bit of plaintext error. This property makes stream 
cipher suitable for systems with high error probabilities in transmission. If a ciphertext bit 
is lost in transmission, a stream cipher will cause complete nonsense data for the rest of 
the recovered plaintext unless special measures are taken. Hence, stream ciphers need the 
ability of resynchronization through either a special signalling channel or the method of 
self-synchronization. This research will discuss the modes of operation which configure 
block ciphers as stream ciphers capable of self-synchronization. 
Bit slips are defined as the loss of a bit or bits in the process of data transmission. 
It is possible for the data transmitted to pass by several network switches and then arrive 
at the destination. Clock differences between network nodes, could cause bit slips or 
insertions.The ability to recover from bit slips and insertions is inevitable to consider 
when the modes of operation are discussed. 
There is a class of stream cipher, referred to as self-synchronizing stream ciphers, 
which can recover from bit slips or errors automatically. It looks for a sync pattern in the 
ciphertext to extract an Initialization Vector (IV) to synchronize the encryption and 
decryption system. This works because the ciphertext is shared by the encryption and 
7 
decryption system. Self-synchronizing makes the cryptographic system more efficiently 
use bandwidth than the stream ciphers which require an extra signalling channel to 
transfer IV to synchronize the encryption and decryption system periodically because it 
does not need additional bandwidth for synchronization purposes. 
Interestingly, there are several modes of operation that can configure a block 
cipher as a stream cipher to produce a pseudo random keystream and attain the ability of 
self-synchronization. Before we discuss self-synchronization explicitly, let us introduce 
the conventional modes of operation. 
2.3 Conventional Modes of Operation 
There are four operational modes for block ciphers that were published in 
December 1980 [4]. They are listed as follows: 
1. Electronic codebook mode (ECB) 
2. Cipher block chaining mode (CBC) 
3. Cipher feedback mode (CFB) 
4. Output feedback mode (OFB) 
Electronic Code Book (ECB) [3] is a mode in which each block of plaintext 
produces a corresponding ciphertext value according to the key. In other words a 
plaintext always has the same ciphertext given the same key. When data is applied to 
ECB mode, data is separated into blocks and then each block is encrypted independently. 
Figure 2.2 illustrates ECB mode [3]. ECB mode is not fitted for a system with small 
block sizes because the repetition possibility of the block becomes high and that will 
cause a decreasing of the security. That situation may be improved by the addition of 
8 
random pad bits in the block. Another method to increase the security is to enlarge the 
block size. A large size block has the ability to prevent a codebook attack since it 
contains enough unique entropy. However, a bit error will cause a whole block of data 
errors. 
Plaintext block Ciphertext block 
Key Key 
Encryption Algorithm Decryption Algorithm 
Ciphertext block Plaintext block 
Figure 2.2 ECB mode 
Cipher Block Chaining (CBC) [3] is the mode in which each plaintext block 
XORs with the previous ciphertext block, and then is encrypted with the key to produce 
the next ciphertext. The first ciphertext block is provided by an IV. Figure 2.3 illustrates 
CBC mode. In the figure, PJ represents the current plaintext with bits, P represents the 
recovered plaintext, E represents encryption algorithm, E.1 represents decryption 
algorithm, B represents block size, and Co represents the first ciphertext which is usually 
given by IV. CJ.J represents the previous ciphertext, and CJ represents the current 
ciphertext. In the figure, Ei3 represents the bitwise XOR of a block. The chaining structure 
makes the current ciphertext block entirely dependent on the previous ciphertext block. 
The same ciphertext block for a given plaintext can be obtained only if the same key and 
9 
the previous ciphertext block is the same. For CBC mode, a bit slip will cause the whole 
block and the remaining blocks to be random with respect to the plaintext. 
Figure 2.3 CBC mode 
Cipher Feedback (CFB) [3] mode utilizes a pseudo-random keystream which is 
generated by a block cipher to encrypt plaintext. Because the encryption of plaintext is bit 
by bit, CFB mode can fall into the class of stream ciphers. The significant characteristics 
of CFB mode is that it feedbacks the ciphertext into a shift register at the input of the 
block cipher to produce the next key stream block. CFB mode is illustrated in Figure 2.4. 
In this figure, m and B are the feedback and block size and m could be B or less than B, 
and E represents the block cipher with a block size of B. 
Similar to CBC mode, an IV as the initial input of the block cipher is provided to 
CFB mode to guarantee the same start on both the transmitter and the receiver. The value 
of m greatly influences the properties of CFB mode. When m = 1, CFB mode has the 
ability to recover from bit slips or insertions. When m > 1 and a single bit slip occurs, the 
input to the block cipher at the receiver will become misaligned and resynchronization 
10 
will not occur. CFB mode can be categorized as a self-synchronizing cipher when m = 1. 
However, it is very inefficient from the view of implementation [5]. How to increase the 
efficiency becomes an interesting topic. One single bit error in the communication 
channel will cause the recovered plaintext bit to be in error and the next whole block of B 
recovered plaintext bits to be corrupted. 
m m 
Ciphertext 
m m 
Figure 2.4 CFB mode 
Output Feedback (OFB) mode [3] can be used to construct a stream cipher by 
making use of a block cipher as a pseudo-random generator. As with CFB mode, it uses 
an IV as the input of block cipher initially. It then takes the previous output of the block 
cipher (not the previous ciphertext) as the next input to the block cipher to produce the 
next key stream block. OFB mode is illustrated in Figure 2.5. 
Of all operational modes, OFB mode offers minimal error propagation. A bit error 
will cause only one bit error because the generation of the key only has a relationship 
with the output of the block cipher rather than the ciphertext. It can be implemented with 
11 
high data throughput as well by performing the XOR of plaintext with keystream in 
blocks of B bits. However, it does not have the ability to resynchronize. To ensure that 
the communication system is working properly, OFB mode needs an extra signalling 
channel to periodically transfer an IV from the transmitter to the receiver to recover from 
any synchronization loss that may occur due to bit slips. 
OFB mode has a subtle security problem. Because the output of the block cipher 
is fed back as the input of the block cipher and the fixed length of the block size is used, 
it is possible to cause the repetitive usage of the keystream. That means the cryptanalyst 
can figure all subsequent messages transferred from the repeated parts, if the system is 
accessed by cryptanalyst and the cryptanalyst finds the repetition cycle of data. Thus, the 
security of OFB mode is decreased. 
m m 
Ciphertext 
m m m m 
Figure 2.5 OFB mode 
12 
2.4 Other Modes of Operation 
The conventional modes of operation discussed above were recommended to be 
used with DES [1]. With concerns of the security of DES, Triple-DES and AES have 
taken its place. This brings some new modes of operation and applications. 
Counter mode [6] also turns a block cipher into a stream cipher. It generates the 
next keystream block by encrypting successive values of a "counter". The counter can be 
any simple function, which produces a sequence that is guaranteed not to repeat for a 
long time, although an actual counter is the simplest and most popular. In counter mode, 
the state vector is simply a number the same size as the block of the block cipher. To 
encrypt any block, the number is incremented, then the incremented number is encrypted, 
the output of that encryption is XORed to the plaintext, and the result of the XOR is the 
ciphertext. The problem of the OFB mode having cycles of unpredictable (and potentially 
short) periods in some cases is solved. Since the counter doesn't cycle until it was stepped 
through all 28 numbers (assuming block size B). Obviously, counter mode should not be 
used with block ciphers whose blocks are so short that there is a risk of running a full 
cycle on one key. Hence, counter mode has to be applied on 64-bits or larger blocks. 
Counter mode has similar error propagation characteristics to OFB. 
Many other modes of operation besides counter mode are modified from the 
conventional modes of operation and counter mode, such as cipher-chain-cipher mode, 
propagation cipher feedback (PCBC) mode, CFB64 mode, etc [6]. 
13 
2.5 Advanced Encryption Standard (AES) 
AES [2] was developed by NIST to replace DES and protect sensitive government 
information well into the twenty-first century. Among five finalists, the Rijndael 
algorithm won out and has become the proposed AES algorithm. 
Before describing the cipher Rijndael algorithm, there are several parameters that 
need to be explained. State describes the intermediate data and is expressed as a byte 
array which has four rows and Nb columns. Nb is the block size divided by 32. The 
cipher key is expanded with the key schedule to generate round keys, w[iJ]. The number 
of rounds, Nr, is decided by the length of the cipher key. 
The cipher Rijndael consists of: 
• An initial round key addition 
• Nr-1 intermediate rounds 
• A final round. 
Initially a round key is added in to enhance the system security. In the 
intermediate Nr-1 rounds, each round is composed of four different transformations to 
realize confusion, diffusion, and key mixing [3]. The final round is slightly different from 
the previous Nr-1 rounds. 
Figure 2.6 [3] illustrates the structure of AES using the 128-bit block as an 
example. During the encryption and decryption, the State array is initialized as the 
plaintext and modified at each stage of the transformations. The 128-bit cipher key is 
arranged into the matrix of bytes to be expanded into 44 words of key schedule for 10 
rounds and each round takes 128 bits as the round key from the key expansion. In the 
14 
diagram, the inverse substitute bytes, the inverse shift rows, and the inverse mix columns 
are the inverse of the corresponding transformations. The details on the inverse 
transformations and other length of the cipher key are described in [2] and [3]. 
Aaintext Aat~ H 
,.--__I:I===.Ad:l==I'Cll.rd-==key====:::!f: .... ----+-V\{0,3]---.._.L__ __ .Ad:l_I'Oll"d--..--key __ ___j 
' I &tstitute bytes I I Expard key 
' ; I SHitrcMS I 
~ '---------~,~------~ 
Mxoolurrns ~ I I 
L-----~,~----~ r-1 
I .Ad:l rourd key :14----1------+- V\{4,7] ---------"~ 
r 
' I &tst~ute bytes I 
• ~ I SHitrcMS I § '---------.,--------_J 
tt I I Mxoolurrns 
L__ _ ---::I:·:-----__.J 
I 
.Ad:l rCll.rd key :14---1------+-V\{36,39]1----+-~ 
' 
I &tstitute bytes I 
0 ' i I SHit rcMS I tt '---------,,,;:--------_.J 
I .Ad:li'Oll"d key I 
' Ophertext 
Ercryption system 
~ ' --- V\{40,43] ---~ 
Inverse sl.b bytes 
Inverse stilt rcMS 
Inverse rrix ools 
Inverse sl.b bytes 
Inverse stilt rcMS 
Ophertext 
D3ctwtion system 
Figure 2.6 AES encryption and decryption 
15 
.... 
0 
::0 
0 
t: 
::J 
c. 
(.0 
::0 
0 
t: 
::J 
c. 
The functions of four transformations on the Sate are briefly explained here. 
• Substitute bytes: This transformation uses a nonlinear substitution table 
called an S-box to substitute each State byte-by-byte. 
• Shift rows: This transformation is a simple permutation according to the 
rules that the first row does not shift, the second row performs circular left 
shift by 1-byte, the third row performs circular left shift by 2-bytes, and the 
fourth row performs circular left shift by 3-byte. 
• Mix columns: This is a linear transformation on each column of State over 
GF (28) to generate new columns. 
• Add round key: This transformation XORs the current block with the round 
key. 
16 
Chapter 3 
Design and Implementation 
Environment 
An algorithm or an abstract idea can be implemented by software and hardware 
through a design process, and made into a system or a chip. A design has to depend on 
current particular technology, especially for hardware design. With systems or chips 
becoming more and more complex and the sizes of systems becoming smaller and 
smaller, a hardware technology, referred to as Very Large Scale Integration (VLSI), has 
become very popular. Computer Aided Design (CAD) tools are utilized in the design and 
implementation. This chapter will give some basic background to these issues. 
3.1 Software vs. Hardware Implementation 
Software implementation is prevalently used to check the correctness and the 
feasibility of a system or an algorithm due to its flexibility, ease of use, relatively low 
cost, and relatively short implementation time compared to hardware implementation. 
However, hardware implementation plays an important role in the system 
implementation due to its concurrent characteristics and the capability of satisfying speed 
that system requires. In hardware each part of a system can work concurrently such that 
the system efficiency can be improved. Hence, hardware implementation becomes more 
attractive for high speed applications such as broadband communication networks. 
17 
3.2 Design Methodology 
Unlike software, hardware implementation is a complicated process. Figure 3.1 
illustrates the design process of full ASIC from an idea to a chip or a board [8]. There are 
seven steps from an initial design idea to the final hardware implementation. Before it is 
passed to the next step, the result is checked to guarantee correctness of the 
transformation. In the end, a stream file which describes mask layer information for a 
circuit is generated for chip fabrication after Design Rule Checking (DRC) is completed. 
During the design process a Hardware Description Language (HDL) is used 
widely. Among many HDLs, the Very High Speed Integrated Circuit (VHSIC) Hardware 
Description Language (VHDL) is very popular in the research and industry domains. In 
our work we have made use of design methodology which is prevalently used in the 
process of a system design focused on the digital Integrated Circuit (IC) design flow 
recommended by Canadian Microelectronics Corporation (CMC) [8]. 
Instead of trying to implement the design of a large system all at once, a divide-
and-conquer strategy is taken in a top-down design process. Top-down design is referred 
to as recursive partitioning of a system into its subcomponents until all subcomponents 
become manageable design parts. By "manageable design parts" is meant that the 
components designed can be found in a library provided. Figure 3.2 outlines the recursive 
partitioning in a top-down design process. In the figure, the shadowed sub-components 
represent the manageable parts by hardware mapping in a library [8]. 
18 
Design Idea 
Behavioral Design 
Flow Graph, 
r Pseudo Code 
Data Path Design 
Bus & Register 
r 
Structure 
Logic Design 
... Gate Wirelist, 
r 
NP.tli~t 
Physical Design 
Transistor List, 
Layout 
Manufacturing 
Chip or Board 
Figure 3.1 A digital system design process 
19 
SUD 
SUD: System Under Design SSC: System Sub-Component 
Figure 3.2 Top-down design and bottom-up implementation 
When the top-down design process is completed, a partition tree is available. 
Then, the bottom-up implementation process begins. During this process, hardware 
components corresponding to the leaves of the tree are recursively bound until the system 
is completed. 
3.3 Design Flow, Functional Test and Verification 
Figure 3.3 shows the digital system design flow using the Deep-Sub-Micron 
(DSM) technology recommended by CMC. From the figure, it can be seen that the design 
flow is divided into two parts. The first four steps, which are referred to as front-end 
design part, use the VHDL language and Synopsys CAD tools and the remaining five 
steps, which compose the back-end design part, use Verilog and Cadence CAD tools. In 
the front-end design, a design idea is converted to a gate-level netlist. The gate-level 
netlist is then passed to the back-end design part for placing and routing. 
20 
Step one uses the VHDL language to transform the design idea to Register 
Transfer Level (RTL) codes and verify the functionality of RTL code. The top-down 
design and bottom-up implementation are the main strategies in this process. 
Step two accepts RTL codes and synthesizes them. The synthesis turns VHDL 
code automatically into gate-level code depending on the current libraries. This process 
may bring in many unnecessary circuits because of the limitations of the CAD tools [9]. 
The result could be unoptimizable. The situation may get worse when synthesizing a 
large design. However, for small and simple designs, it is efficient and trustworthy to use 
CAD tools for an excellent job. It is recommended in the Synopsys documentation that 
large designs not be imported directly to the synthesis tool. A hierarchical bottom-up 
approach should be used instead. Importing large designs leads to crashing the synthesis 
tool and in some cases may result in an unoptimized design [8]. In this research each 
module of the design is designed, synthesized and tested separately, based on this bottom 
up implementation approach. 
In the synthesis step, each component is analyzed and elaborated usmg the 
Synopsys Design Analyzer tool. Higher-level components are then built up when the 
synthesis results of all the bottom components are saved in the database or the work 
library. After the complete design is successfully imported, it is constrained based on the 
designer's performance objectives. In most cases, the constraints include input/output 
(I/0) pads specification, scan style definition, output load definition, and clock definition. 
If all pre-set constraints are met, the constrained design is then synthesized into gates. 
21 
Otherwise, the RTL code needs to be modified, simulated and then synthesized until all 
constraint requirements are met. 
Step three is the scan insertion for the design test by the standard scan-based 
Design for Testability (DFT) techniques. 
Step four is the gate-level simulation. This simulation is different from the RTL 
simulation in step one which ensures the design is functionally correct. Timing is not 
considered at that time because hardware timing information, which is tightly associated 
with the targeted technology and is defined in the library, is not available to the design 
yet. Hence, this step is the gate-level simulation with timing information considered for 
the design. 
Floor planning, which is step five, is to create a floor plan for the design. 
Step six, placement, is to use forward-annotated timing information from 
Synopsys tools to perform core cells placement. 
Clock tree generation is step seven to add clock buffer cells and nets to create a 
balanced clock tree . 
Step eight is routing and timing verification, which verify the gate-level circuit 
generated from the step previous. 
The last step is stream file. This step verifies the placed and routed design and 
fixes minor violations. The stream output is used for chip fabrication. 
This concludes the complete digital system design process based on CMC 
recommended design flow. 
22 
Synopsys 
Cadence 
RTL Simulation VHDL 
Synthesis Design Analyzer 
Scan I nsertation Design Analyzer 
Gate-Level Simulation VHDL 
Placement DP!Qplace 
Clock Tree Generation DPICTGen 
Routing & liming 
'v'erifi~tion 
Stream File 
Silicon 
Enserrble 
DR/ 
Figure 3.3 Design flow recommended by CMC 
23 
Chapter 4 
Statistical Cipher Feedback (SCFB) 
Mode 
In this chapter, statistical cipher feedback (SCFB) mode [10] is investigated. The 
algorithm of the SCFB mode was first described in [10] and the name was given in [5] 
because the cipher feedback is statistical which depends on the frequency of recognizing 
sync pattern. SCFB mode is a form of stream cipher which can utilize a block cipher to 
produce a keystream to XOR with plaintext data. Compared with conventional block 
cipher modes, SCFB mode can achieve self-synchronization with high efficiency, 
reasonable latency and modest buffer sizes. Hence, SCFB mode has the capability to 
recover from bit slips in the communication channel. 
Firstly, the working theory of SCFB mode is introduced. Then the top-down 
design and the bottom-up implementation are provided. The performance analysis of 
SCFB mode will be discussed in Chapter 6. 
4.1 Introduction to SCFB Mode 
In Chapter 2, it was shown that CFB mode with m = 1 is an inefficient mode with 
the property of self-synchronization. Hence, how to improve system efficiency and to 
keep the property of self-synchronization becomes a research direction. To save 
communications bandwidth, one way to control synchronizations of the encryption 
system and the decryption system is to check for a sync pattern in the ciphertext data 
24 
because the encryption system and the decryption system can obtain the same ciphertext. 
The sketch of SCFB mode is shown in Figure 4.1 where E represents the block cipher 
and the input register is used to store data as the input of the block cipher [10]. The scan 
block is used to scan ciphertext to find a sync pattern and collect the IV after a sync 
pattern is found. If the sync pattern is not recognized and the status of the system is not in 
the collection of new IV, the switch is put into the position A and SCFB mode can be 
thought of as OFB mode because its block cipher uses the previous output of the block 
cipher as the next input of block cipher to produce a block of keystream. If the sync 
pattern occurs, the switch is put into position B while the new IV is collected from 
ciphertext. After the collection of IV is completed, a new IV has been loaded into the 
input register to synchronize the system. During the collection of IV, SCFB mode is 
considered as CFB mode because its block cipher uses ciphertext as the next input to 
produce a block of keystream. 
key 
E 
A 
plaintext 
ciphertext 
Encryption 
Communication 
channel 
E 
A 
ciphertext 
Decryption 
Figure 4.1 SCFB system 
25 
key 
plaintext 
Hence, SCFB mode is a combination of CFB mode and OFB mode. SCFB mode 
conquers the deficiency of OFB mode by turning into CFB mode following the detecting 
of a sync pattern in the ciphertext to provide the capability of self-synchronization. As 
well, the efficiency of SCFB mode is improved significantly compared to the 
conventional CFB mode since SCFB mode works as OFB mode most of time. From this 
figure it can also be know that the decryption system has the same structure as the 
encryption system except the plaintext instead of the ciphertext is shifted into the input 
register. 
4.2 Implementation of SCFB Mode 
4.2.1 Software Implementation 
To precisely describe the operation of SCFB mode, the flowchart of SCFB mode 
is shown in Figure 4.2. In the figure, Xo ... Xs-1 and Yo ... Ys-1 represent plaintext bits and 
ciphertext bits, respectively. Furthermore, Wo ... Wn-1 represents an n-bit window that is 
used to compare with a sync pattern and Qo ... Qn-1 represents then-bit sync pattern. Ek (') 
represents the block cipher with the key k and block size B. Zo ... Zs-1 is a register to 
collect the B-bit IV. The flag, loading_IV, is used to indicate whether or not the collecting 
of IV is underway. The flag, new_IV, indicates whether or not the collection of the new 
IV is completed. 
From the flow chart, it is clear that block cipher operation is triggered by either 
the case that the sync pattern is found or the case that the encryption of B bits of plaintext 
is completed. If the sync pattern is found, the system starts to collect the B-bit new IV to 
26 
save in the Z register and waives checking for the sync pattern until a new IV is ready. 
All plaintext bits following the new IV are encrypted as a new OFB keystream. If the 
sync pattern is not found and the encryption of a B-bit plaintext is finished, the system 
works in OFB mode to trigger Ek 0 to produce a new B-bit block of keystream and 
continues to check for the sync pattern in ciphertext. 
No 
start 
Initialization 
Ia adlng_IV f- false 
Xo ... XB-1 <E- Initial value 
W0 ... Wrl_1 f-o ... o jf-0 
Yes End of 
data? 
No 
Figure 4.2 Flow chart of SCFB system 
27 
Although a description of software can clarify the algorithm of SCFB mode, the 
property of sequential logic gives a limitation on explaining and simulating how the 
system works efficiently. The system will become more efficient only if components in 
the system are used simultaneously and only a fewer components remain idle at any time. 
That is the fundamental reason why the hardware implementation is investigated in this 
thesis. 
4.2.2 Hardware Implementation 
4.2.2.1 Top-down Hardware Design of SCFB Mode 
The completed system of SCFB mode consists of the encryption system and the 
decryption system as shown in Figure 4.3. 
IV Key Pattern IV Key Pattern 
Clk Clk 
Plaintext Communication Channel Plaintext 
SCFB Encryption 
Ciphertext SCFB Encryption 
Reset System Reset System 
Figure 4.3 General diagram of SCFB system 
In the figure, IV, key and pattern are known by both the encryption system and the 
decryption systems. The port IV provides an initial IV to the inputs of block cipher. The 
key port gives a key to the block cipher. The pattern port provides a sync pattern to the 
system. Plaintext data is encrypted by the encryption system and sent to the decryption 
28 
system through a communication channel. The decryption system will then decrypt the 
encrypted data to recover the plaintext data. The input and output ports of the encryption 
system are displayed in Figure 4.4. 
elk 
Reset 
Key 
Ciphertext 
Plaintext Data Encryption System of SCFB Mode 1 
1 
IV 
Pattern 
Figure 4.4 I/0 ports of the encryption system 
Encryption system 
I 
I I 
Plaintext subsystem Keystream subsystem Ciphertext subsystem 
I Storage part I I Calculating part I Keystream t I I generation part Scan part Storage part I I Calculating part 
Figure 4.5 Block diagram of the encryption system 
The encryption system can be divided into three subsystems according to different 
functions: plaintext subsystem, keystream subsystem and ciphertext subsystem as shown 
29 
in Figure 4.5. In practice, a plaintext buffer and a ciphertext buffer are required in order 
to provide the elasticity needed to ensure that the incoming and outgoing data speeds are 
the same even while the processing of data inside the system is not constant. 
The plaintext subsystem is used to collect plaintext data and send data out after 
the collection of B bits of data is completed. Because the plaintext subsystem needs to 
store incoming data in a queue which is named plaintext queue (PQ), there is a storage 
part in the figure. The calculating part is used to calculate the queue position at which 
incoming data should be placed. The keystream subsystem is used to generate the 
keystream and scan the ciphertext for the sync pattern to synchronize the encryption and 
the decryption systems. Therefore, the keystream subsystem has two functions: the 
keystream generation part produces the keystream using a secure block cipher, and the 
scan part recognizes a sync pattern. If the sync pattern occurs, the scan part will collect a 
block of ciphertext as the new IV to send to the keystream generation part as the new IV. 
If the sync pattern does not occur, the keystream subsystem uses the previous output of 
the block cipher as the input to produce keystream and the scan part continues to scan for 
the sync pattern. The ciphertext subsystem stores ciphertext data and sends ciphertext 
data to communication channel. The ciphertext subsystem has the same queue structure 
as the plaintext subsystem and hence, requires storage (referred to as the ciphertext queue 
(CQ)) and the calculating part to manage the queue data positions. 
4.2.2.2 Parallel Transfer vs. Serial Transfer 
Parallel transfer and serial transfer are two methods to transfer data bits from the 
PQ to CQ. In parallel transfer the incoming plaintext data bits are not sent to XOR with 
30 
the keystream until there are enough data bits in the PQ and the block cipher finishes the 
production of a block of keystream. In the case which SCFB mode works as OFB mode 
and the sync pattern is not recognized, the PQ collects B data bits depending on the 
frequency of clock and then sends the whole block of data to XOR with B bits of 
keystream at a time. In the case that the sync pattern is found but the collection of the 
new IV is not completed, the PQ collects data bits until it has the number of bits needed 
by the new IV and then sends the exactly needed data out to XOR with a partial block of 
keystream to produce a partial block of ciphertext. 
In contrast to parallel transfer, serial transfer sends plaintext data out bit by bit to 
XOR with keystream bits and the CQ receives the ciphertext data bit by bit. Serial 
transfer generally requires a simpler circuit than parallel transfer. However, unlike 
parallel transfer which has no clock limitation and can obtain high efficiency, serial 
transfer has clock limitation which constrains the system efficiency. In this thesis, to 
investigate the tradeoffs between these two methods, parallel transfer and serial transfer 
are applied to SCFB mode and OCFB mode (which will be discussed in Chapter 5), 
respectively. 
4.2.2.3 Implementation Structure of an SCFB System 
According to the discussion above, a general figure for the encryption system is 
drawn in Figure 4.6 [5]. While the plaintext data is being collected, a keystream block of 
B bits is generated by the block cipher. The input of the block cipher can be either the 
output of the block cipher or the IV from the ciphertext depending on whether n bit sync 
pattern is recognized. After a block of keystream is ready and the collection of B bits of 
31 
plaintext data is finished when the sync pattern is not found, the B bits of the keystream 
will be XORed with B bits of the plaintext data to produce the same length of ciphertext 
which is then stored into the CQ. When the sync pattern is recognized, the number of 
plaintext bits needed by the portion of new IV not in the same encrypted block as the 
sync pattern is collected to XOR with the keystream and then sent to CQ. The CQ will 
send data bit by bit into the communication channel at a constant rate. In the figure, the 
low case d refers to the number of bits transferred out of PQ which could be less than or 
equal to B bits. The queue which collects ciphertexts to compare with the n-bit sync 
pattern in the figure is named new IV queue (IVQ) and is used to provide new IV for the 
system. The block cipher described as E in this figure adopts the AES algorithm with the 
128-bit block length which was implemented by NIST and the results are published in the 
implementation of SCFB mode. 
B 
E 
plaintext 
queue 
I • • • • I I 
I• ~I 
< 7 
B or 
d<B 
New IV 
Key 
-
I I 
I• 
( 
7 
B or 
d<B I• 
I 
B 
IV queue 
n 
++-I 
••••• 
I 
I .... 
ciphertext 
queue 
I 
•I 
•I 
I I 
Figure 4.6 Structure of the encryption system 
32 
I 
7 ~ .. 
The decryption system has a structure similar to the encryption system except that 
the position of the checking the sync pattern occurs on the input (i.e., ciphertext) side 
rather than the output (i.e., recovered plaintext) side. The input switching of the block 
cipher from the output of the block cipher to the new IV is again dependent on the 
detection of the sync pattern. 
4.2.2.4 Discussion on Queuing 
Initially the PQ is empty and the CQ is full with arbitrary data. When the PQ is 
collecting data at a fixed rate, the CQ is sending data out bit by bit at the same fixed rate. 
Because the rate of incoming data to the PQ is exactly the same as the rate of departing 
data from the CQ, the CQ becomes empty when the PQ fills up. When the PQ sends a 
whole block of data to XOR with the keystream to produce a block of ciphertext, the 
block of ciphertext data is put in the CQ. Hence, the PQ empties and the CQ fills up. This 
process represents the elastic property of the queues. If resynchronization occurs 
frequently in a short time, it will cause the PQ overflow. To avoid the overflow, the size 
of the PQ has to be large enough to reduce the probability of overflow to as small as 
possible. 
The size of queue has an influence on the delay when data passes through the 
system. If k represents the number of bits in the PQ and M represents the size of PQ 
which is the same as the size of CQ, the CQ should have (M - k) bits because the 
incoming speed of the PQ is identical with the outgoing speed of the CQ when no sync 
pattern is found. The delay through the system is k + (M- k) = M bits [5]. To minimize 
the delay, the buffer size M should be as small as possible. However, M has to be large 
33 
enough to save the incoming data when the block cipher gets delayed producing the 
keystream due to a burst of resynchronizations. M should be greater than or equal to B 
because PQ continues to collect data while the system collects all B bits of IV after the 
sync pattern is recognized. It is possible that the last bit of IV could happen anywhere 
within a block of ciphertext and there is a scenario where only part of the block needs to 
be XORed since all bits following the last bit of IV have to be encrypted by the new 
block of keystream. Although this partial plaintext block is XORed with the keystream as 
soon as possible, it still gives some delay to the system. Hence, M should not be less than 
B bits so that it has enough space to store the data and does not have data overflow [5]. 
4.2.2.5 Bottom-up Hardware Implementation 
In this section, the plaintext subsystem, ciphertext subsystem and keystream 
subsystem implementation are discussed in detail. The encryption system is then built up. 
(The decryption system of SCFB mode has a similar structure to the encryption system.) 
In this implementation, the Rijndael algorithm with a 128 bit block size is used as 
the core algorithm of the block cipher. To mitigate buffer overflow, the sizes of PQ and 
CQ are 256 bits. The sync pattern is chosen as "10000000" with a length of 8 bits. 
• Plaintext Subsystem 
The main task of the plaintext subsystem is to collect plaintext data and send data 
to XOR with the keystream when there is enough data in the queue. There are two 
scenarios for the PQ. One is that the PQ collects B bits data and then sends them out 
when the sync pattern does not occur. When the sync pattern is found, the keystream 
34 
subsystem will take the data following the sync pattern as the first part of IV and then the 
scan part of the keystream subsystem calculates how many bits beyond a block boundary 
are needed to finish the collection of all B bits of IV. The value calculated is then 
delivered to the plaintext subsystem. After the value is received, the plaintext subsystem 
compares it with the number of bits in the queue. If the number is greater than the value 
received, the plaintext subsystem sends the exact number of bits needed by the keystream 
subsystem to XOR with the keystream to produce a partial ciphertext block as the rest of 
IV. If the number is less than the value, the plaintext subsystem will wait until there are 
enough data bits in the queue and then send them to XOR with the keystream. 
The plaintext subsystem includes two main parts which are the storage part and 
the calculation part as shown in Figure 4. 7. There are two parts included in the storage 
part: buffers and pointers. From the figure, it can be seen that there are two buffers. The 
upper buffer with the size of 256 bits stores incoming data and the lower buffer saves the 
128-bit data extracted from the upper buffer to be ready to XOR with the keystream. The 
part between the upper buffer and the lower buffer is the pointer part which extracts 128 
bits of data from the 256 bit queue to store into the lower buffer according to the result of 
the calculation part. Although there is a scenario that only a partial block of plaintext is 
needed when the sync pattern is recognized, the PQ part always provides 128 bits to XOR 
keystream. The task of extracting the exact number of valid data bits is left to the 
ciphertext subsystem and the scan part of the keystream subsystem. The extracted data is 
conceptually removed from the 256 bit queue by adjusting the appropriate pointer. 
35 
Because the addresses of the 128 bits of data extracted are contiguous, there are 128 
MUXes to select 128 bits from the upper buffer. 
The calculation part includes two parts: calculation and comparison. The 
calculation part is in charge of the number of bits in the upper buffer and sends the 
number calculated to the pointer part of the queue. There are two cases for the 
calculation. If the sync pattern is not found, every 128-bit data is sent out from the 
plaintext subsystem and 128 is subtracted from the upcounter which is used to count the 
number of bits for the upper buffer as shown in the figure. If the sync pattern is found, the 
number subtracted from the upcounter is varied from 1 to 128 depending on where a sync 
pattern occurs. Thus, the pointers move according to the results of the calculation part. 
The comparison part is used to compare the number of bits in the upper buffer with the 
number of bits in a partial block which the new IV needs if the sync pattern is recognized. 
If the sync pattern does not occur, the comparison part is used to control the time when a 
block plaintext should be sent out from the lower queue. In other words, only if there are 
enough bits in the plaintext queue and the keystream is ready, is it the time to send out 
the plaintext data and the flag, ready, is set to '1' to indicate that data is ready. 
• Ciphertext Subsystem 
The diagram of ciphertext block is illustrated in Figure 4.8. The task of the 
ciphertext subsystem is to receive the incoming block of ciphertext data and put them into 
the corresponding positions in the CQ. Again, there are two scenarios. If the sync pattern 
is not found, it accepts 128 bits of data. However, if sync pattern is found, it only accepts 
36 
w 
-.) 
Storage Part 
256 
Calculation 
Part 
r·· 
Num 
Loading 
Upcounter 
Clrbar 
~
En 
Comparison 
Part 
~--~~-_j ~L 
r-
128 L Data_out 
Greater 
Figure 4. 7 Hardware structure of the plaintext subsystem 
Comparator 
(with 128) 
01 
0-
'--------.-----' Clrbar 
Found 
Num 
Ready 
the number of bits needed. Obviously, there are two parts included in the ciphertext 
subsystem. One is the 256-bit buffer which receives 128 or less bits of ciphertext to put in 
the corresponding positions according to the pointer and sends data out bit by bit. The 
other part is used to calculate the position in the ciphertext buffer for the incoming 128 or 
less bits of ciphertext . 
From the figure, the ctrl_de signal stands for the first pointer to point to the 
position into which the incoming ciphertext bits are moved. Because the addresses of the 
incoming ciphertext data are continuous, only the address of the first pointer needs to be 
calculated. The ready_data signal indicates when the pointer value is valid for the CQ. 
When part of the block of ciphertext data is coming, the queue part only accepts the exact 
number needed and the pointer has to move to the corresponding position. 
From the discussion above, it can be seen that the ciphertext part, Demux, has the 
function that accepts 128 or less bits data and distributes each data bit into the 
corresponding position and shifts data out every clock period. 
• Key Subsystem 
The key subsystem includes the key generation part shown in Figure 4.9 and the 
scan part shown in Figure 4.11. The key generation part accepts either the previous 
output of the block cipher or the new IV from the scan part as the input of the block 
cipher which is decided by the recognition of the sync pattern. There are two registers, 
upper Reg and lower Reg. The upper Reg, initialized by the IV, stores the input of the 
block cipher and the lower Reg stores the output of the block cipher to XOR with the 
plaintext data. The block cipher shown as E block in the Figure 4.9 adopts to the 
38 
ready 
ready_data 
Clk 
Clrbar 
8 
Down_loadi 
ng 
Downcounter 
Ready_data Ciphertext 
128 
ready_data 
ctrl_de 
8 
Figure 4.8 Hardware structure of the ciphertext subsystem 
Clk Reset IV Key Flag_NewiV 
128 ~ 128 v Output_y '>~/ Conmu>: lnputx' 
'< IV 128 128 lnputx 
128 
-- f.;j r- X Reg 
128 
Data_ ac 
controller 
Enc_D c 
Cv_Lo c E 128 
Cv Si 
128 
~ E Reg 
128 
Done 1· Key 
stream 
Plaintext Ciphertext 
128 stream + stream 
12e 
Figure 4.9 Hardware structure of key generation part 
39 
Rijndael algorithm to be used to generate the pseudo-random keystream. The 
implementation of Rijndael algorithm is published by NIST. The encryption of Rijndael 
algorithm causes some delay which is related with the number of rounds involved in 
encryption. 
The controller controls the enable pins of the upper Reg and the lower Reg to 
decide the loading time of a new block of data. Its state machine is illustrated in Figure 
4.10. Combined with the Figure 4.9, it is clear that the controller controls the signals of 
En_regx, En_regy, Data_Load, Cv_Load, Cv_size, and Conmux. The signal En_regx is 
the enable signal of the upper Reg, En_regy is the enable signal of the lower Reg, 
Conmux is the signal to control the selection of the input of the block cipher, and the 
signals of Data_Load, Cv _Load, and Cv _size are provided to the Rijndael algorithm of 
the block cipher. 
When started, the system is reset and the controller goes into the state of RST to 
initialize the parameters. After reset changes to '0' from '1 ', the state of the controller 
goes to Gen_keyl, which generates a new block of keystream, on the rising edge of the 
system clock. When the signal of CipherDone, which stands for whether the generation 
of the new block of the key is completed or not, is set to '1 ', the controller changes to the 
state of Taken_keyl, which means that the new block of the keystream is ready and can 
be used to XOR with the new block of the plaintext. In this state, the controller sets the 
output signal, Done, to '1' to indicate the encryption system that the keystream is ready. 
The encryption system is waiting for the completion of the collection of the block of the 
plaintext. After the collection of the plaintext is finished, a block of keystream XORs 
40 
with B bits or less than B bits plaintext data at a time which depends on whether or not 
the sync pattern is recognized and the encryption system sets the signal, Ready_data, to 
'1' from '0'. The change of the signal Ready_data makes the state turn into More_time 
from Taken_keyl. This state gives one more clock cycle time to the controller. Because 
the parallel comparators are applied to find the sync pattern in the ciphertext, the finding 
can be finished in one clock cycle. Hence, in the state of More_time, the signal, 
jlag_New!V, can be decided. Then the controller turns into the state of Load_input, which 
sets the control signal, Conmux, to '1' and loads the new input of the block cipher. After 
the new input is provided to the block cipher, the new round of the controller of the 
keystream is started. 
CipherDone 
='1 Ready_data= 
'1 
Figure 4.10 State machine of the controller of the keystream subsystem 
The scan part [11] is the most important and complicated part in the whole 
implementation of the encryption system as shown in Figure 4.11. As mentioned above, 
the scan part has two tasks. One is to check for the sync pattern and the other is to collect 
41 
the new IV when the sync pattern is found. Before implementation, there are several 
issues which need to be considered. 
• How to check for the sync pattern? 
Because the data is encrypted block-by-block, it is necessary to consider the 
situation of the borders of the blocks since there is a possibility that the sync pattern is 
split across blocks. Copying the last n-1 bits of the previous comparison block to the next 
first n-1 bits of the current comparison block is a useful approach to solve this problem. 
That is why the queue of the sync pattern has n-1 more bits than the block size B. The 
number of B comparators is needed to check the (B+n-1) bits of data at once. 
• How to collect the new IV after the sync pattern is recognized? 
It is impossible to fulfill the collection in one block. Hence, how to calculate the number 
of bits remaining in the new IV past a block boundary is an issue. The data following the 
new IV should be encrypted by the key which is generated by the new IV. Therefore for 
the collection of the second part of the new IV, the PQ needs only collected to the 
number of bits that the new IV needs to XOR with the keystream to generate the rest of 
the new IV. The comparators compare the data with the sync pattern and the controller is 
used to control when the result of the comparison is sent to the encoder because SCFB 
mode does not check the sync pattern during the collection of the new IV. After the flag, 
''founcf', changes from '0' to '1 ', the control part closes the output of the comparators and 
keeps the previous value to the encoder. If the sync pattern is found, the encoder can 
translate the results of the comparison into the position where the sync pattern is. 
42 
According to the pointer of the encoder, the number that the new IV needs for the rest can 
be calculated by use of the adders. This value is sent to the plaintext subsystem and the 
ciphertext subsystem. 
• How to extract the new IV from the queue if the sync pattern is found? 
The two components of "MUX 2:1" on the right side of the figure are used to 
point to the correct positions. The upper "MUX 2:1" points out the position of the data 
extracted from the queue and the lower "MUX 2:1" points out the position where the bits 
extracted are going to. The "MUX 135:1" outputs the data pointed to and the component, 
SDemux, accepts the data from 128 "MUX 135:1" to form the new IV according to the 
pointer of the position. When the collecting of the new IV is completed, a flag in the 
"MUX 2:1" indicates the new IV done. 
• Encryption System 
An encryption system is formed by putting the plaintext subsystem, the keystream 
subsystem and the ciphertext subsystem together. The encryption of the system needs to 
wait until the keystream and the 128 bits of plaintext data (or the number needed) are 
ready. When the ready signal of the keystream subsystem, Done, and the ready signal of 
the plaintext subsystem, Ready, are set to '1 ', the system starts to send plaintext data to 
XOR with the keystream to generate a block of ciphertext data and sets the flag, 
ready _data, to '1'. This indicates that the current ciphertext data are valid ciphertext data. 
The ciphertext subsystem can place it in the queue. 
43 
.j:::.. 
.j:::.. 
Ready_data 
00000111 
134 
g 
[ 
m-
elk 
eq 
128 
135 
135 
G 
G 
B 
ciphertext 
135 
00000111 outer1 
ctrl_lowhalf 
pointer 
SDemux 
128:128 
128 
Figure 4.11 Hardware structure of the scan part of the keystream subsystem 
clrbar 
.j:::.. 
Ul 
iliisynopsys Waveform V1ewer- SCFB_ENCRVP ...,;TES1UBENCH.jaguar;~t8SH .. IIl¥t~O ""{Unti~ ~ :»,'%fu:-~" "•\>;[~ ""' ' 0i ~ 
GoTo View 
IRIRIIII 
/SCFB_ENCRYP _TEST _BENCH/CLK 
/SCFB_ENCRYP _TEST _BENCH/RESET 
/SCFB_ENCRYP _TEST _BENCH/SERIAL_IN 
/SCFB_ENCRYP _TEST _BENCH/SERIAL_ OUT 
1> /SCFB_ENCRYP _TEST _BENCH/IV(127:0) 
1> /SCFB_ENCRYP _TEST _BENCHIP A TTERN(7:0) 
1> /SCFB_ENCRYP _TEST _BENCH/CV _IN(255:0) 
/SCFB_encryp_test_bench/tsclbD/found 
1> /SCFB_encryp_test_benchltsclbD/num(7:0) 
/SCFB_encryp_test_benchltsclbD/ready_data 
/SCFB_encryp_test_benchltsclbD/key_ready 
1> /SCFB_encryp_test_bench/tsclbD/subkey( 127:0) 
1> /SCFB_encryp_test_bench/tsclbD/Data_out(l27:0) 
1> /SCFB_encryp_test_bench/tsclbD/ciphertext(l27:0) 
Figure 4.12 Simulation waveform of the encryption system 
'~:ij~~~ 
.j:::.. 
0\ 
!;synopsys Waveform Vtewer- SCf'D_ENCRYP _TEST_8E'NC:H.,Ja(N:af!:.l85'96 .. ow;Q- [untnJ¢4] :;;:;2 $¥!% m"' @t-,m""8:>"' kd'>\%@,~ 
Eile Marker §_oTo 'itiew 
/SCFB_ENCRVP _TEST _BENCH/CLK 
/SCFB_ENCRVP _TEST _BENCH/RESET 
/SCFB_ENCRVP _TEST _BENCH/SERIAL_IN 
Window 
0 
/SCFB_ENCRVP _TEST _BENCH/SERIAL_ OUT II o 
1> /SCFB_ENCRVP _TEST _BENCH/IV(1 27:0) 
1> /SCFB_ENCRVP _TEST_BENCH/PATTERN(7:0) 
1> /SCFB_ENCRVP _TEST _BENCHICV _IN(255:0) 
/SCFB_encryp_test_benchltscfbO/found 
1> /SCFB_encryp_test_benchltscfbOfnum(7:0) 
FFOOA. 
80 
0 
00 
/SCFB _ encryp _test_ benchltscfbOfready _data II 0 
/SCFB_encryp_test_bench/tscfbOfkey_ready 0 
1> /SCFB_encryp_test_bench/tscfbOfsubkey(1 27:0) 
1> /SCFB _ encryp _test_ bench/tscfbOIOata_out( 1 27:0) 
E8AA 
1> /SCFB encryp test_bench/tscfbOfciphertext( 1 27:0) II EBAA 
- -
FFOOAA550FF03300FFCCDB33246D777B 
F==============F======================================== 
80 
95254952549~254952549525495254952549525495254952549525495254952D 
00 OE 00 
E8AAA6A 1 3DI 03612470481 D0070A 1 C06 
0000000000000000000000 7 478D47C6903628027E5DB756495F C 1 3 IOOOOOOOOOOOOOOOOOOOOOOOOC 
BAAA6A 1 3D1 0361 247D4,9CD272DD541 354926031 5/>.A5639FEO* 167* j1 34F4A01 5E5CODC9895BF*j7 
Figure 4.13 Simulation waveform of the encryption system 
i_llsynopsys Waveform Viewer- 5CFB_-E'fli«:RVP....:TEST_BENC:H.;jagual':.t8596~:0 .. {Uht:itte.d} "'" :fi,~ " A~ ~":~if m :"'W ' fl ~ 
/SCFB~ENCRYP ~TEST ~BENCH/CLK 
11: /SCFB~ENCRYP ~TEST ~BENCH!RESET 
!SCFB~ENCRYP ~TEST ~BENCH!SERIAL~IN 
!SCFB~ENCRYP ~TEST ~BENCH!SERIAL~OUT 
1> !SCFB~ENCRYP ~TEST ~BENCH!I V( 127:0) 
1> !SCFB~ENCRYP ~TEST ~BENCH!PA TTERN(7:0) 
1> !SCFB~ENCRYP ~TEST ~BENCH/CV ~IN(255:0) 
fSCFB~encryp~test~benchftscfbO/found ll:o 1> fSCFB~encryp~test~benchltscfbO/num(7:0) 
/SCFB~encryp~test~benchltscfbOiready~data 
/SCFB~encryp~test~benchltscfbotkey ~ready liD 
1> !SCFB~encryp~test~ benchltscfbotsubkey( 127:0) 
+:>. 1> /SCFB~encryp~test~ benchltscfbO!Data~out(127:0) 
-...) 
1> !SCFB~encryp~test~ benchltscfbOfciphertext( 127:0) 
Figure 4.14 Simulation waveform of the encryption system 
The encryption system, coded using VHDL and simulated by the Synopsys tool [8] and 
the waveforms are shown in Figure 4.12, Figure 4.13, and Figure 4.14. The Figure 4.12 
displays that the first block of keystream is ready and the ready flag, key_ready,becomes 
'1'. Data_out (127:0) in the figure stands for a block of plaintext data sent out to XOR 
with the keystream. In this figure the collection of 128 bits of plaintext data is not ready. 
The Figure 4.13 indicates that the first 128 bits of plaintext data is ready and the new 
block of ciphertext data is generated. The encryption system sets the flag, ready_data, to 
'1'. The sync pattern is found after the ready _data flag is set to '1 '. The system calculates 
instantly the number needed by the second part of new IV which is shown as OE in 
hexadecimal. The finding of the sync pattern makes the keystream subsystem restart to 
generate the new block of keystream. After several clock cycles, the key _data becomes 
'1' and 15 bits of plaintext data is ready. It produces the new 15-bit ciphertext data and 
the ready _data flag becomes '1' again. The new IV is sent to the block cipher as the new 
input to produce the new block of keystream. The collection of the new block of plaintext 
data is ready in the Figure 4.14. The new block of ciphertext data is produced and no 
sync pattern is found in this round. More waveforms of simulation results of the 
encryption system are shown in Appendix A 
• Decryption System 
The decryption system has the same structure as the encryption system except the 
plaintext instead of the ciphertext is shifted in the last bit of the upper Reg. The 
simulation waveforms of the decryption system are shown in Appendix A. 
48 
4.2.2.6 Test Methodology 
To test the full encryption system, a system was built up by combining the 
encryption system and the decryption system. Random bit patterns generated by C++ 
code were used as the plaintext input and saved to an input file. The random plaintext is 
encrypted by the encryption system and then sent to the decryption system. By 
decryption, the ciphertext are turned into recovered plaintext. Comparing the plaintext 
recovered with the original input, we can know whether or not the system working is 
correct. One special case of the inputs and outputs of the system is shown in Appendix A 
to make results easy to check is to let all of the input be '1 's at the encryption system. 
The first 128 bits of the output of the decryption system in the Appendix A are the initial 
bits in the CQ of the decryption system. In this implementation, the CQ of the decryption 
system is initialized as all '0'. 
4.2.2.7 Complexity of Hardware Implementation 
The hardware implementation of SCFB mode utilizes the Synopsys tool based on 
0.18 f.1rrt CMOS technology to perform the front-end synthesis of the design. The 
hardware complexity as shown in Table 4.1 is reported by the design analyzer of the 
Synopsis tool with the constraint of the system clock of 10 ns. With the system clock rate, 
no slack is generated during the process of synthesis. No slack means that the design 
circuit can satisfy the required speed. The synthesized result of the Rijndael algorithm 
comes from [12]. When the circuit is synthesized it gets a report indicating a number of 
different gates, timing and a total overall area. One common way to estimate the circuit 
size is to use the number of equivalent 2-input NAND gates as a metric of the circuit size. 
49 
The area of synthesized circuits, which is in square microns (jtm2), is converted to the 
gate count by using the two-input NAND gate which has the area of 12.197 j.Jm2 as a 
basis for comparison. 
The table shows that estimated total gates of the encryption system is 1255644, 
out of which the Rijndael algorithm needs 612834 gates. Hence, the whole keystream 
subsystem including the key generation and the scan part occupies 60% of the hardware 
complexity of the system. 
4.2.2.8 Discussion of Other Structures 
There are other structures that are suitable to implement the SCFB system. One 
approach would be to remove the PQ and the CQ and thus remove elasticity in the flow 
of data through the system. A block cipher output must then be generated within one bit 
time of incoming data. This would clearly minimize delay through the system as the 
block cipher runs at the rate of B times of link rate. The system efficiency becomes 1/B, 
which is the same as for the CFB mode. Hence, this approach has little value [5]. 
4.3 Conclusion 
This chapter introduces the concepts of SCFB mode and describes the structure of 
a hardware implementation of an SCFB system. In the hardware implementation of 
SCFB mode, parallel transfer is applied to obtain high working efficiency. The hardware 
aspects of SCFB mode such as the queuing requirement, the relationship between queue 
sizes, and the data delay during the transmission from the plaintext queue to the 
ciphertext queue are discussed briefly. These will be further discussed in Chapter 6. 
50 
For a hardware implementation, SCFB system has the ability of self-
synchronization and can obtain much higher efficiency than CFB mode. Compared to 
Rijndael algorithm, the system doubles in hardware complexity. We conclude that SCFB 
systems are well suited to high-speed digital hardware implementation. 
Component Combinational Noncombinational Total Area Total Gate Name Area Area 
Plaintext 2,237,383 89,662 2,327,046 190,788 
subsystem 
Keystream 
generation 11,298 13,221 24,519 2,010 part without 
Rijndael 
Scan part of 
keystream 1,512,222 148,470 1,660,693 136,155 
subsystem 
Rijndael 612,834 
algorithm 
Ciphertext 3,759,299 68,801 3,828,101 313,856 
subsystem 
Encryption 1,255,644 
system 
Table 4.1 Hardware complexity of the encryption system of SCFB mode 
51 
Chapter 5 
Optimized Cipher Feedback (OCFB) 
Mode 
In this chapter, optimized cipher feedback (OCFB) mode [13] is investigated. As 
with the SCFB mode, OCFB mode can configure the block cipher as a stream cipher by 
using the output of the block cipher as the keystream to XOR with the plaintext to 
produce a block of ciphertext. 
Compared with CFB mode, OCFB mode attains higher efficiency and the ability 
of self-synchronization by checking for a sync pattern in the process of producing 
ciphertext. OCFB mode is quite similar to SCFB mode except OCFB mode keeps 
checking for the sync pattern all the time even during the IV collection phase. These 
differences influence the method of implementation and the properties of the system. 
This chapter describes the working theory first and then the top-down design is 
given. Finally it provides the hardware implementation of OCFB mode in detail. In the 
next chapter, the discussion on the performance analysis of OCFB mode will be 
combined with performance analysis of SCFB mode. 
As we discussed in Chapter 4, the serial transfer from the PQ to the CQ is adopted 
in the hardware implementation of OCFB mode instead of the parallel transfer of our 
SCFB mode implementation in order to analyze the influences given by the different 
methods of implementation. As we shall see, the serial transfer reduces the hardware 
52 
complexity but brings a complicated timing relationship to the implementation of OCFB 
mode which limits its operating efficiency. 
5.1 Introduction of OCFB mode 
The motivation of OCFB mode is to optimize CFB mode by improving the 
efficiency while still achieving the ability of self-synchronization. The approach is 
illustrated in Figure 5.1. OCFB mode is optimized by buffering all output bits of block 
cipher into the shift register SR2 as keystream to produce ciphertext. The ciphertext is 
sent out to the communication channel and the shift register SRI as the input of the block 
cipher simultaneously. A counter, named shiftcounter, is used to trigger execution of the 
block cipher after enough bits are collected in SRI. However, synchronization would be 
destroyed due to bit slips or insertions in a communication channel because the counters 
of the encryption system and the decryption system would lose synchrony relative to the 
ciphertext stream. Hence, resynchronization has to be done for both sides of counters. 
The only way to obtain resynchronization is to check for a sync pattern in the ciphertext 
because the ciphertext can be obtained for both the encryption and the decryption. The 
encryption system and the decryption system in the figure compare the current content of 
SRI with the sync pattern on each clock cycle. The counters are not reset until the sync 
pattern is found. This causes the counters of the encryption system and the decryption 
system to obtain synchronization again. 
Unlike SCFB mode, OCFB mode continues to check for the sync pattern in all of 
the ciphertext bits even when IV is collecting. Here we define IV to be the next B bits 
following the last bit of the sync pattern. This gives the OCFB mode more opportunity to 
53 
resynchronize. However, for a hardware implementation we shall see that the result is 
that it is more likely to have a buffer overflow resulting in a decrease of the system 
performance. 
---..EB-----.l.......l!---------------l----_.,-4+--l~ 
Encryption Decryption 
Figure 5.1 OCFB system 
5.2 Implementation of OCFB mode 
5.2.1 Software Implementation 
To precisely illustrate the operation of OCFB mode, the flowchart of OCFB mode 
is shown in Figure 5.2. In the flowchart, B represents the block length and shiftcount 
represents the counter with logz B bits which is used to keep track of which bit is being 
XORed with plaintext. SRI i and SR2i represent the i-th bit of SRI and SR2, respectively. 
The notation SRio ... SRis-J ~ SRh ... SRis-IC]+i is used to indicate the shifting of SRI from 
the higher bit position to the lower bit position and the highest position is substituted by 
the ciphertext bit. The IV that is known by both the encryption system and the decryption 
system is loaded into SRI after the start of the systems. The pattern represents the sync 
54 
pattern which is used to resynchronize the system. The block cipher Ek encrypts B bits of 
data to produce the same length of output as keystream and is stored in SR2. We assume 
the Ekrepresents 128-bit Rijndael with 128 bit key. 
Yes 
Yes 
j~j+l 
Start 
Initialization 
SR1 0 .•• SR1 8_1 f-lnltlal Value 
jH 
SR20 ••. SR2 8., ~E,(SR1 0 ... SR1 8 .,) 
IH 
No 
No 
Ci+i~pl+l XOR SR20 
SR1 0 ... SR1 8 _1 ~SR1 1 •.. SR1 8_1CI+I 
SR20 .•• SR28 _1 ~SR2 1 ••. SA28 _10 
i= i+1 
Figure 5.2 Flow chart of OCFB system 
After the system is started, an IV is loaded into SRI and the system encrypts IV to 
produce the first block of keystream. The symbol i representing the shiftcounter is cleared 
to '0'. The system starts to compare the 1st n bits of the current content of SRI with the 
55 
sync pattern. If it is equal to the sync pattern, the system sets i to B and triggers Ek to 
encrypt B-bit SRI and save the B-bit output into register SR2. If the content of SRI is not 
equal to the sync pattern, i will add one. If i does not reach B, SRI and SR2 shift one bit 
position and the ciphertext generated by the previous SR2 bit is moved into the last bit of 
SRI. Meanwhile, the ciphertext is sent out to the communication channel. This process is 
repeated until all of the data is encrypted. 
The software implementation of the OCFB mode is simple. Because software 
executes sequentially and does not take advantage of concurrency to gain efficiency, 
hardware implementation realizes the full value of an OCFB system. The advantage of a 
hardware implementation is that components can run concurrently thereby minimizing 
the idle time for each part to improve the system efficiency. 
5.2.2 Hardware Implementation 
5.2.2.1 Top-down Hardware Design of the OCFB Mode 
From the description of the OCFB mode, it is clear that six data input ports and 
one output port are required as shown in Figure 5.3. The clki port provides the system 
clock. The Reset port is used to reset the system. The Key port provides the primary 
cipher key for the Rijndael algorithm. The Plaintext data port serially collects the 
incoming data bits. The IV port provides the first IV to the system. The encryption system 
and the decryption system initially have the same IV and primary key to give the system 
the same starting point. 
The encryption system can be divided into three functional subsystems which 
have different tasks: the plaintext subsystem, the keystream subsystem, and the ciphertext 
56 
subsystem as shown in Figure 5.4. The plaintext subsystem is in charge of collection, 
storage and sending out plaintext data. The keystream subsystem prepares for the 
keystream bits and controls the synchronization between the keystream and the 
corresponding plaintext. The ciphertext subsystem takes charge of collection of 
ciphertext bits and sends them to the communication channel. 
clk1 
Reset 
Key 
Ciph~ext 
Plaintext Data Encryption system of OCFB Mode 1 / 
1 
IV 
Pattern 
Figure 5.3 Port relationships of the encryption system 
Encryption System 
l l 
Plaintext subsystem Keystream subsystem Ciphertext subsystem 
Figure 5.4 Block diagram of the encryption system 
The OCFB system needs PQ and CQ to store the data bits in order to ensure that 
the incoming and outgoing data speed are the same even while the processing of data 
57 
inside the system is not at a constant rate. The queues provide the storage for the 
incoming and outgoing data while a new block of keystream is being generated because 
the production of the new keystream block requires more time than one clock cycle and 
data may have to wait until the new block of the keystream is ready. 
The keystream subsystem uses a register SRI to store the input of the block cipher 
and a register SR2 to store the output of the block cipher. A counter, called shiftcounter, 
should be used to count the amount of shifting and a comparator is needed to check for a 
sync pattern in the ciphertext. 
The general sketch of the encryption system of OCFB mode is illustrated in 
Figure 5.5. In the figure, B stands for the length of a cipher block and n stands for the 
length of the synchronization pattern. R is the rate of data corning into the PQ and R' is 
the rate the plaintext bits that leave from the PQ. Re is used to represent the rate of 
encryption of the block cipher. It makes sense that the outgoing rate of keystream bits is 
equal to R' since the keystream bits directly XOR with the outgoing plaintext data. As 
well, the incoming bit rate of the CQ has to be the rate of outgoing from PQ, R', 
otherwise it will cause the loss of data or duplication. In order that data comes into the 
system and leaves the system at a uniform rate, the outgoing rate of data in the CQ should 
be equal toR. To reduce the possibility of PQ overflow as much as possible, R' must be 
greater than R to compensate for delay in producing keystream blocks due to the block 
cipher process when resynchronization occurs. 
In the figure, there are three clocks, clkl, clk2, and clk3, to control the running 
speeds of the data transfer and the block cipher. Among these three clocks, the clkl is the 
58 
fastest clock and it can be the system clock in the implementation. The clk2 and the clk3 
can be derived from the clkl. Since the data collection of PQ is based on the clk2, the rate 
of incoming plaintext data of PQ, R, is directly equal to the frequency of the clk2. As 
well, R' is equal to the frequency of the clkl andRe is equal to the frequency of the clk3. 
The system efficiency can be controlled by adjustment of these three clock frequencies. 
-c 
:::J F\ 0 B 1 (..) 
.:t:: 
SP2 :c (f) 
R 1 R' R 1 
dk2 dk2 
Plaintext queue Ophertext queue 
Figure 5.5 Structure of the encryption system 
In each subsystem, the plaintext subsystem, the keystream subsystem, and the 
ciphertext subsystem, there are two different rates. The plaintext subsystem collects 
incoming data at the rate R and sends data out at rate R '. The ciphertext subsystem has 
the reverse situation of the plaintext subsystem. For the keystream subsystem, the 
interfaces of the keystream subsystem use the rate R' to keep the same pace with the 
interfaces of the plaintext subsystem and the ciphertext subsystem. The core component 
59 
of the keystream subsystem, the block cipher, adopts the rate Re to control the running 
time of the block cipher in order to reduce the idle time of the keystream subsystem to 
improve the system efficiency. Hence, there are two conversions of the rate in the 
keystream subsystem. One is from SRi to the block cipher and the other is from the block 
cipher to SR2. 
5.2.2.2 Discussion on Queuing 
Both PQ and CQ have the same buffer size. While bits are coming into PQ, bits 
are leaving from CQ at exactly the same rate, like SCFB mode. During the period that the 
block cipher encrypts to produce the new block of keystream, the incoming plaintext bits 
are stored into the queue until the block of keystream is available. After the keystream is 
ready, PQ starts to shift bits out until the counter counts to the maximum or the sync 
pattern is found. The block cipher is then triggered to generate the new keystream block. 
The input of PQ therefore accepts bits at a uniform rate, but the output of the PQ shifts bit 
by bit only when the keystream is available. 
CQ has exactly the reverse situation as PQ. When the keystream is available, the 
CQ starts to accept the incoming data bit by bit. While the block cipher encrypts to 
generate the new keystream, CQ stops collecting data until the keystream is ready. 
However, the output of CQ keeps the uniform rate to send bits out. The CQ is initialized 
with arbitrary data so that it is in the full state initially when the PQ is empty. When PQ 
fills up, CQ goes to empty. The situation of overflow of the PQ is exactly the same as the 
situation of underflow of the CQ. Hence, the overflow condition of PQ only needs to be 
considered. 
60 
The size of the queue has an influence on the delay of data passing through the 
system. Let k represent the number of bits in PQ and M represent the size of PQ and CQ. 
The delay of data passing through is k + (M - k) = M bit times. To minimize the delay, 
the buffer size M should be as small as possible. However, M has to be large enough to 
save the incoming data when the block cipher produces the keystream. Because OCFB 
mode checks for the sync pattern all the time, bits fill up in PQ easily causing overflow if 
resynchronizations occur frequently. (This manifests as an underflow in CQ.) Loss of 
data bits will then occur. Whether or not PQ overflows is related to the occurring 
frequency of the sync pattern, the size of M, the time spent by keystream generation, and 
the incoming rate of plaintext bits. Of these four factors, the last three can be decided 
when the system is set up. However, the first factor relates to the size of the sync pattern 
and the time between sync patterns is given approximately as the geometric probability 
distribution [5]. The relationship between the probability of overflow and the buffer size 
will be discussed in Chapter 6. In order to minimize the probability of overflow, PQ has 
to be large enough and outgoing data rate leaving the PQ has to be greater than the 
incoming data rate. Hence, there is an important relationship among the rate Re of the 
block cipher encryption, the rateR' of bits removed from PQ, the rateR of bits coming 
into PQ and the buffer size. 
5.2.2.3 Discussion on Timing Characteristics of Implementation 
Clearly, there are two working threads in the OCFB system. One is the generation 
of the keystream and the other is data movement in the queues. In order to obtain higher 
system efficiency, the encryption of the keystream and the data transfer in the queue have 
61 
to work concurrently and shorten the idle time of each subsystem. The different rates, R', 
R, and Re, introduce the different times, T', T, and Te. T' represents the time spent 
sending one block (i.e. B bits) of plaintext data out of PQ, Tis the time collecting one 
block of plaintext data in PQ, and Te is the time generating one block of keystream. 
In this thesis for ease of implementation 50% efficiency is examined. 50% 
efficiency implies that for every B bits entering the queue, 2B bits are removed from the 
queue. Unlike SCFB mode, 50% efficiency does not have special meaning for OCFB 
mode. 50% efficiency is chosen because it allows the system to generate clocks that are 
integer multiples of the system clock clkl. This results in the following equations where 
R, R' andRe are in units of bits I second: 
Efficiency = R I Re = 50% 
R' = 2 * R 
R'=Re· 
From the three equations above, it is easy to deduce the equations as below: 
T' = T/2 
T' = Te 
Re =BITe 
From the equations above, it is seen that the generating time of one block of 
keystream, Te, is the same as the leaving time of one block of plaintext data, T'. Te and T' 
are equal to half of T. This implies that the generation of one block of keystream and the 
XORing of one block of plaintext have to be completed in the time of T I 2 for 50% 
efficiency. 
62 
The encryption processing of OCFB system can be described as follows. After the 
system is reset, the keystream subsystem starts to produce a new block of keystream and 
the plaintext subsystem begins to collect the incoming data. Since the collecting speed of 
the plaintext data is two times slower than the generation speed of one block of 
keystream, it can be imagined that B I 2 bits would be in PQ when the generation of one 
block of keystream is finished. Then PQ starts to send data out to XOR with keystream 
generated bit by bit after the keystream is ready. During B bits of keystream XOR with 
the B bits of plaintext data bit by bit, PQ still collects incoming data at the rate of R. This 
can happen only when resynchronization does not occur. If resynchronization occurs, 
only part of the B bits in PQ XOR with the key and the rest of the bits will stay in the 
queue to wait until the new keystream block is generated. It is clear that bits will fill up in 
the queue and might cause overflow if resynchronization occurs frequently. Enlarging the 
queue size may be a better way to decrease the probability of overflow, but it will suffer 
from longer delay. 
Figure 5.6 illustrates the timing relationships between the data flow associated 
with PQ, CQ and the keystream. This figure also shows some detailed considerations for 
implementation. In the diagram, clk2 = 2 * clkl since R' = 2 * R. The up I down arrows 
indicate that the components are triggered by the rising/falling edge of clock. The lower 
case s stands for shifting and the lower case w for writing. Because a component in the 
hardware implementation cannot resolve two signals simultaneously, the rising and 
falling edges are selected to avoid two signals affecting one component at the same time. 
Writing into the PQ is controlled by clk2. The rising and falling edges of clk2 are always 
63 
on the rising edge of clkl. Hence, there is no limitation on the selecting of the rising or 
the falling edge for the writing of the PQ. However, the control of the shifting of PQ has 
to use the falling edge since writing has already occupied the rising edge. CQ has the 
same situation except writing is using the falling edge of clkl and shifting is using the 
rising edge of clk2. Because a plaintext bit is shifted out on the falling edge of clkl, the 
keystream has to keep the same pace as the plaintext bit to guarantee the synchronization. 
Hence, the interfaces of the keystream part have to use the falling edge of clkl. The 
writing of CQ triggered by falling edge cannot write the latest bit but the previous one 
because the generations of plaintext and keystream depend on the falling edge of clkl. 
Therefore, the data of CQ is delayed one clkl cycle. 
PQ s s s s s s s s s s 
elk 
w w w w w 
elk~ J l J J L 
CQ w w w w w w w w w w 
elk 
s s s s s 
elk~ r r r J L 
Keystream s s s s s s s s s s 
elk 
Figure 5.6 Timing relationships between PQ, CQ, keystream 
64 
5.2.2.4 Bottom-up Hardware Implementation 
In this part, the plaintext subsystem, the ciphertext subsystem and the keystream 
subsystem are implemented individually as foundational subsystems and then encryption 
system is built up from them. (The decryption system of OCFB mode has the same 
structure as the encryption system.) 
Some conditions are assumed before the implementation. In this implementation 
the Rijndael algorithm is used as the core algorithm of the block cipher. Alternatively, 
triple DES, DES or other algorithms which are thought to be secure can be used as the 
block cipher. For Rijndael, the length of each block is 128 bits. Hence, the sizes of SRI 
and SR2 must be 128 bits as well. To decrease the delay as data passes through the system 
and to make the possibility of overflow I underflow low, the sizes of PQ and CQ are 
chosen as 256 bits. The sync pattern is chosen as "10000000" and the length is 8 bits. 
• Plaintext Subsystem 
As mentioned above, PQ is a 256 bit queue and collects data bits while the 
keystream subsystem produces a new block of keystream. After the new block of 
keystream is ready, the PQ starts to send bits out. The writing of PQ is triggered by the 
rising edge of clk2 and shifting out is triggered by the falling edge of clkl under the 
condition that the valid signal, named val, is '1'. The PQ is illustrated in Figure 5.7. 
The implementation of PQ should include the following interface parts: 
a. The val signal indicates whether the output of PQ is valid or not. 
b. One 8-bit write pointer points to the correct position for writing. 
65 
c. The signal clk2 is generated for clkl and is twice clkl because of 
50% efficiency. 
d. One data input port and one data output port 
val / 
clk2 [> 1----J /1 
Plaintext queue 0 < clk1 255 254 1 
Data bit 
/1 h plaintext 
/1 
/ 
v 8 
Write_pointer 
Figure 5.7 Structure of the plaintext queue 
• Ciphertext Subsystem 
The ciphertext queue has the reverse situation of PQ and is shown in Figure 5.8. It 
collects data bits according to the falling edge of clkl when the val signal is '1' and stops 
collecting bits when the val is '0'. The output of the CQ is timed by the rising edge of 
clk2. The write pointer points to the position for the incoming data bits. The CQ starts 
from the full state with arbitrary data. To make checking easier, the initial value of CQ is 
set to all of '1 's. Hence, the write pointer starts from 255, increases by one at the falling 
edge of clkl when val is '1 ', and decreases by one on each rising edge of clk2. 
val/ 
< 
clk2 
1 
clk1 > 255 254 Ciphertext queue 1 0 ciphertext 
Data bit/ / 
/1 /1 
Ya 
Write_pointer 
Figure 5.8 Structure of the ciphertext queue 
66 
• Keystream Subsystem 
The keystream block consists of two 128-bit registers SRI and SR2, the core block 
cipher, and a shiftcounter which includes one 8-bit comparator and a counter, as shown in 
Figure 5.9. 
IV 
,.}
1
128 
~ SR1 I ciphertext I 
I 8-bit comparator ,J/128 
- 8 
.-:~q //1 
clk3 (> input 
~ Counter_done Block cipher 
kev 
> shiftcounter / 1 ~ load Key done 
output 
/ 
/ 128 /1 
eli> 1 1 SR2 
1 
~!_a-ding 
121 
I / 
1 ~ keystream 
Figure 5.9 Hardware structure of the keystream subsystem 
This part mainly takes charge of the generation of keystream. The 8-bit 
comparator compares the first 8 bits of SRI with the sync pattern until the sync pattern is 
found. The eq signal in the figure is the output of 8-bit comparator. It sets the counter to 
the maximum when eq is equal to '1 '. The counter then sends a done signal out to the 
core algorithm of the block cipher. This counter _done signal triggers the block cipher to 
load the 128-bit data of SRI as the input of the block cipher. Rijndael, the core algorithm 
of the block cipher, controlled by clk3 is in charge of the generation of the keystream. 
67 
The time spent by the Rijndael algorithm is mainly constrained by the method of 
implementation of the algorithm and the current hardware technology. The frequency of 
clk3 is derived from the system clock, clkl, and is equal tog * clkl where g is an integer 
and decided by system efficiency, the time used by the generation of one block of 
keystream and the time used by collection of one block of plaintext data. After the new 
keystream is produced, the key _done signal is set to '1 '. Due to the connection between 
key_done signal and the loading port directly, SR2 loads the output of the block cipher 
asynchronously and then shifts data by the falling edge of clkl. The data shifted out from 
SR2 is XORed with the plaintext bit to produce the ciphertext bit. 
• Encryption System 
The plaintext subsystem, the ciphertext subsystem, and the keystream subsystem 
together make up an encryption system. After the system is reset, PQ starts to collect 
data, CQ starts to shift data out and the block cipher is triggered to generate the 
keystream block. Simulation waveforms are shown in Figure 5.10, Figure 5.11, Figure 
5.12, Figure 5.13, and Figure 5.14. PQ is initialized to all '0' and CQ is initialized to all 
'1'. Because the input data of PQ is always given to '1', it is easy to check data 
movement in PQ. 
Figure 5.10 shows the movement of data in both PQ and CQ after the system is 
started. Figure 5.11 shows that the generation of the keystream is done. The keystream 
generated is then XORed with plaintext to produce ciphertext until the counter counts to 
128 in Figure 5.12. The eq signal turns to '1' in Figure 5.13. It is implied that the current 
process is stopped and the new key will be generated by the block cipher. The new 
keystream is generated in Figure 5.14. More waveforms are shown in Appendix B. 
68 
0\ 
1.0 
llsynopsys Waveform Viewer- OCt=B_fr-.!CRYPT_TEST_BENC:H.jaguar~t¥#12 .. aur.O- {Ubtitted] '1 ~ ¥ W &~~0 MW£ ~"" +w~g4$_-~ ,. 
File _Edit Marker J;ioTo ~iew Qptions Window Help 
n1~r,.1 .x.t~l~t aJ•I•I•t~\t*f~t:,;lmr '~<t~t~r»T+I...!...IIiilll.~~·" : ••. ·• .·· ·Ffiri ff:i'?E·> ...• ::t'\~. Liit• t'\ 
/OCFB_ENCRYPT _TEST _BENCH/RESET 
/OCFB_ENCRYPT _TEST _BENCH/CLK 1 
/OCFB_ENCRYPT _TEST _BENCH/CLK3 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_IN 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_ OUT 
.,.. /OCFB_ENCRYPT _TEST _BENCH/IV( 127:D) 
.,.. /OCFB_ENCRYPT _TEST _BENCH/KEY(255:D) 
/OCFB _encrypt_ test_ benchltenO/counter _done 
/OCFB _encrypt_ test_ benchltenO/key _done 
/OCFB_encrypt_test_benchltenO/val 
.,.. /OCFB_encrypt_test_bench/tenD/enD/parai(255:D) 
.,.. /OCFB_encrypt_test_bench/tenO/enD/w _prt(7:D) 
/OCFB_encrypt_test_bench/tenD/enD/plaintext 
/OCFB_encrypt_test_bench/tenD/keystream 
/OCFB _encrypt_ test_ bench/tenD/ciphertext 
.,.. /OCFB_encrypt_test_bench/tenD/en3/parai(255:D) 
.,.. /OCFB_encrypt_test_bench/tenD/en3/w_prt(7:D) 
/OCFB_encrypt_test_bench/tenD/en1/k4/cc1/i_counter 
/OCFB _encrypt_ test_ bench/tenD/en 11k4/eq 
/OCFB_encrypt_test_bench/ten0/en3/ctrl2_i 
/OCFB _encrypt_ test_ benchltenO/cipher 
ll 14 ~~ , , l , ... , , , , 5~ , , , , , , , , 1 ~0 , , 
D 355D25B47 A2ABAB2BB2BCD715354EAAD 
495254952549525495254952549520 549525495254952549525495254952549525495254952549E 
DDD000000000000000000000000001 
FFFFFFFFFFFFFFFFFFFFFFFFFFF 
F7 
Figure 5.10 Simulation waveform of the encryption system 
-..l 
0 
~Synopsys Wavefom1 Viewer- OCFB .... ENCRVPT_TfST_BENCM .. @guar~J1Af!Jaow:O- f]Untitl:ed]j ~ ~"§!!$~'\, ~~¥h ~~ :WHgS'i r'?t ' 
...J 
Eile Edit Marker §oTo Yiew Qptions Window .!::!_elp 
iPI~IIiilfa~.lt,i"t$J~f.•· BIBIIIIIII. z-f'lz..:IIIIIIJ 1 t<l.:... l4:li>>l+f ..!lJJiiJI.I ~!·i~f~~s : .•• , •... ·. :~! .. l!·§~l?"'d· ·;±z:?~I··,:¥W,AY" .··. 
/OCFB_ENCRVPT _TEST _BENCH/RESET 
/OCFB_ENCRVPT _TEST _BENCH/CLK 1 
/OCFB_ENCRVPT _TEST _BENCH/CLK3 
/OCFB_ENCRVPT _TEST _BENCH/SER IAL_I N 
/OCFB_ENCRVPT _TEST _BENCH/SERIAL_ OUT 
ll>- /OCFB_ENCRVPT _TEST _BENCH/IV( 127:D) 
t> /OCFB_ENCRVPT _TEST _BENCHIKEV(255:D) 
/OCFB _encrypt_ test_ bench/tenD/counter_ done 
/OCFB _encrypt_ test_ bench/tenO/key _done 
/OCFB _encrypt_ test_ bench/tenD/val 
ll>- /OCFB_encrypt_test_bench/tenO/enD/parai(255:D) 
ll>- /OCFB_encrypt_test_ benchltenO!enD/w _prt(7:D) 
/OCFB_encrypt_test_bench/tenO!enD/plaintext 
/OCFB_encrypt_test_bench/tenO!keystream 
/OCFB _encrypt_ test_ bench/tenD/ciphertext 
t> /OCFB_encrypt_test_bench/tenD/en31parai(255:D) 
ll>- /OCFB_encrypt_test_bench/ten0/en31w_prt(7:D) 
/OCFB _encrypt_ test_ bench/tenD/en 1/k4/cc 1/i_ counter 
/OCFB _encrypt_ test_ bench/tenD/en 1/k4/eq 
/OCFB_encrypt_test_benchlten0/en3/ctrl2_i 
/OCFB_encrypt_test_bench/tenO!cipher 
... 
(1 
50 100 
24 
D 55D25B47 A2ABAB2BB2BCD715354EAAD 
5485254852548525485254852548525485254~525485 48525485254852548525485254852D i~====r===~~========================================= 
u 
DDDDDDDDODDDDDODODOODOOOOD0003 
FFFFFFFFFFFFFFFFFFFFFFFFFFF 
F7 
Figure 5.11 Simulation waveform of the encryption system 
-..) 
........ 
~5ynopsys Waveform Viewer- 0Cf8_ENCRYPT_:TEST_BENCH.jaguar.l:J!412.ow,:O- [untitlid] ~S ~ ~ ~ei1'4t& "~ ~'a~ :~~ 
Eile _Edit Marker §oTo Y:iew Qptions Window .!::!_elp 
t:OI~Ir.lf'.;Y.I~l~l IIIIIIBIIBJ ~-tfz-IBL kf;:.tf~I>?I+H~ lii.Jil ~r <•,;;~Ji.'~lt::x~X;~i~t7:l';l> · ..•• :2 ··¥~!~£!; ~·'··· · 
; • 11 787 '"' 0w:~·~•l• 1;••1 1 1 1 1 8~0 1 1 1 1 1 1 1 1 ~·8~~1 1 
/OCFB_ENCRYPT_TEST_BENCHIRESET 
/OCFB_ENCRYPT_TEST_BENCHICLK1 
/OCFB_ENCRYPT_TEST_BENCHICLK3 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_IN 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_ OUT 
1> /OCFB_ENCRYPT _TEST _BENCH/IV(127:0) 
1> /OCFB_ENCRYPT _TEST _BENCHIKEY(255:0) 
/OCFB_encrypt_test_bench/tenO/counter _done 
/OCFB_encrypt_test_benchltenOikey _done 
/OCFB_encrypt_test_benchltenotval 
1> /OCFB_encrypt_test_bench/tenO/enOiparal(255:0) 
1> /OCFB_encrypt_test_benchlteno/eno/w_prt(7:0) 
/OCFB_encrypt_test_benchltenO/enO/plaintext 
/OCFB_encrypt_test_bench/tenO/keystream 
/OCFB_encrypt_test_bench/tenO/ciphertext 
1> IOCFB_encrypt_test_bench/ten01en3/paral(255:0) 
1> /OCFB_encrypt_test_benchlten01en3/w_prt(7:0) 
/OCFB_encrypt_test_benchlten01en1/k41cc11i_counter 
/OCFB _encrypt_ test_ bench/tenOien 1/k41eq 
/OCFB_encrypt_test_bench/ten0/en3/ctrl2_i 
/OCFB_encrypt_test_bench/tenO/cipher 
D I 355025 47A2ABAB2882BCD715354EAAD 
495254952549525495254952549520 52549525495254952 49525495254952549525495254952549525495: 
00000000000001 FFFFFFFFFFFFFFF"* 
FFFFFFFFFFFFFFFFFFFFFFFFFFF 
Figure 5.12 Simulation waveform of the encryption system 
ii.IS-tiVSW"'"tfufm-·OCI'IU'NCR'I'I'T_'I'f'l!T~~.U'4t~~ !lli"!ilb'!ll ,z:-·::W ,·,&,·· ~ , 
/OCFB_ENCRYPT_ TEST _BENCH.I'RESET 
/OCFB_ENCR'r'PT _TEST _BENCH!CLK 1 
!OCFB_ENCRYPT _TEST _&N<::W'CLK3 
IOCFB_c~T ~TEST _6£N<.r!ISER!Al_1N 
JOCF!;LENCRYPT _TEST _!3EI'..ICHI'S£R!At_OUT 
"" /OCFB_ENCRYPT_TEST _BENCHftV{1270} 
1\>- fOCFB_ENCR:YPT_ TEST~BENCHlKtY{£"f.>B:Oj 
i<JCF 8 _ er>C~"lf't_ te st,}nntt:hll:t%n1:Veovnter _ tiOtle 
tOO'~ _ener,'l}\,,tc";>t,,bent:Men(l!key 3krne 
/OCF!;)_encrypt_test_uen~hitcnfifva! 
-.J ' N 1>- fOCFB _em;rypt_tesl'_ bencl"l!:t:TM:O.tenntpara!(Z55:{f) 
10- /OCFB_en&!)'l}t_ tes~_ beneMenalen&'4> _;:n~{?:fll 
tOCF B _ eno'1'1}t_~et>t __ bene!v\ct'[iitmttrr,faintext 
JOCFB ,.encrypt _tec.~._be,eMer:V.'Keysveam 
JOCFB _ enc!)'l}t_ te;;t_ benchl!:nnQ!clphertuA 
"" /OCFB_ encr,'l}t_ test_ bena::hltenntcn:Yparal(ZSS:fl) 
• fOCFB _ enel)'J)t_ tesurencM~Oten3Jv; _ptt{i£1) 
tOCFB_enci)I'Pt_teJ>,t_bettchi'tenotent!K4/ceUi_ctturtter 
JOCFB_encl)"Pt_tel>t}>et'lt:iv'tent:.Jen1lk41'eq 
i0CF8_ern:;rypr_wst_ bet'ICMl!!'nOlen:YctriZ_i 
/OCFB _encl"ypt_ test_b:encMenO/clpher 
• !OCFB_nncl)'l}{_tnst_~rt&eni~aUI(lZ7:0l 
Figure 5.13 Simulation waveform of the encryption system 
-..1 
w 
ii!S-"vsW«VEfurm~-OO'Il.J!NCI!;YPT_TE!iT~~.Uitt~>< ~ ,ii), ,~';,:<,''""·"•We J.~l;~ , ,• "' 
IOCFfUC:NCfr'fPT ~TEST _BENCHmE:StT 
/OCFEU~NCfWPT _ TEST.J~ENCHtCLK 1 
lOCFB_ENCftVPT_ TEST ~BENCKiClK::il 
ft">CFSJSNCRVPT_ n:rn _!3ENCHISEJ'tiAl_U\! 
!OCFS_E:NCRVPT_TEST_SENCHlS£P.ii<-L_OVT 
*""' /OCFS_ENCR'ff'T _TEST __ SENCH!IV(12:7::Q} 
.,.. /OCFB_ENCRVPT_TEST _BENCH!XEY{2SS:D) 
IOCFB _encrypt_test_ hcnclv'terrntcoonu.:r _done 
fOCFB _il'ncrypt_ tes~_ bl':'ntn.'l'er1\li'hy _done 
!OC.f': B _ ttncl)<pl_tes~_ben ctv'l:en&val 
• !OC.F B_ ttnci)'Pt~test.})enchlte•lC'Jer~a<al{2SEdl) 
• J{)CFB_ enc~",'Pt-~e::.t_t>enct'!.•'te<~t:llenOtw -~7:0) 
JOCF B,,_er,cr)rpt_te1't_benclvten\VenQ!plak~ 
tOCFB.,enetypt,}e.,t)>enenttenwh;.yzMweam 
f{)CFELem::rypt_test_ b~hi'mnnfcJpherteJ& 
• /OCFB_enerypt_J.esA'_ bencMenf\lem3/para!(ZSS:tl) 
*""' fOCH~_encryp!_te!>t_beru::hlteneten$!'.v _prt(?:tl} 
IOCFB _ ancrypt_test_lrem:Mentlfen llL<~l:c 11\.:Ct.n.mter 
iOCFO _enctypt_te:.t_ hem::MenQf-en1/k4teq 
!OCFB_ enci)'Pt_test_ ooncMroQfen3/ctrll.J 
fOCFB_encl)<pt_te:.U:lent:Menurc~ph1tt 
:5 
496?54952$4$S254S5254SS25425tD 
A lli'$$0C4 !Dn$S03E:"ll•.s5? t~:IJ<~A!;i 
Figure 5.14 Simulation waveform of the encryption system 
• Decryption System 
The decryption system has the same structure as the encryption system except the 
plaintext rather than ciphertext is shifted into the last bit of SRI. The simulation 
waveforms of the decryption system are shown in Appendix B. 
5.2.2.5 Test Methodology 
After implementation, it is very important to prove that the implementation is 
correct. We can use ANSI C I C++ programming to generate random plaintext to store in 
an input file. A test bench is able to take data from the input file. After encryption, 
ciphertext data is saved in an output file. The test bench of the decryption system 
automatically reads data from the output file as input data. It will store the output of the 
decryption system in another output file. Therefore, the content of the output file of the 
decryption system can be compared with the input file of encryption system to check for 
the correctness of implementation. 
The result of the decryption of the OCFB mode is shown in Appendix B. It 
demonstrates that the structure and the method used to implement OCFB mode are 
correct. 
5.2.2.6 Complexity of Hardware Implementation 
The hardware implementation of the OCFB mode is implemented using VHDL 
and synthesized using Synopsis with 0.18 pm CMOS technology. The hardware 
complexity is collected by design analyzer of the Synopsis tool with the constraint of the 
system clock frequency of 10 ns. The area of synthesized circuits, which is in square 
74 
microns (Jtm2), is converted to the gate count by using the two-input NAND gate which 
has the area of 12.197 Jtm2 as a basis for comparison. 
The resulting synthesized Rijndael algorithm comes from [12]. From Table 5.1, it 
is obvious that the implementation of Rijndael algorithm occupies over 90% area in an 
encryption system when the OCFB mode is implemented by serial transfer. 
Component Combinational Noncombinational Total Area Total Gate Name Area Area 
Plaintext 265167 158 265167 21740 
subsystem 
Keystream 
subsystem 20575 28799 49375 4048 
without 
Rijndael 
Rijndael 612834 
algorithm 
Ciphertext 264045 1122 265326 21753 
subsystem 
Encryption 660376 
system 
Table 5.1 Hardware complexity of the encryption system of OCFB mode 
5.2.2.7 Discussion of Other Structures 
There are other structures that are suitable for the implementation of the OCFB 
system. One approach would be to remove the PQ and the CQ and let the incoming rate 
of data and outgoing rate of data be consistent. A block cipher output must then be 
generated within one bit time. This would clearly minimize the delay through the system. 
75 
However, the block cipher part of the system is in an idle state for most of time. This 
implies that the block cipher runs at the rate of B times the data rate. The system 
efficiency becomes 1/B, which is the same as CFB mode. Hence, this approach has little 
value. 
5.3 Conclusion 
This chapter introduces the concepts of OCFB mode and investigates the 
hardware structure of an OCFB system. In the hardware implementation of OCFB mode, 
serial transfer is applied to the hardware implementation of OCFB system to simplify the 
hardware structure. For the investigation of hardware implementation, it is shown that it 
is practical to achieve the ability of self-synchronization from bit slips or insertions in 
communication channel and still obtain higher efficiency than CFB mode (50% in our 
implementation). Hence, OCFB system can be used for high speed network applications. 
76 
Chapter 6 
Performance Analysis of SCFB and 
OCFB Modes 
This chapter analyzes the performance of SCFB mode and OCFB mode with 
respect to theoretical efficiency, synchronization recovery delay, error propagation factor, 
full-queue efficiency, practical system efficiency, and the relationships between 
efficiency, buffer size, and the probability of buffer overflow [5]. The characteristics of 
SCFB mode and OCFB mode then are compared. 
6.1 Basic Parameters of Performance Analysis 
In this section, the concepts of basic metrics of performance analysis are 
introduced. These metrics indicate the system abilities of efficiency, synchronization 
recovery, and error recovery. 
• Theoretical efficiency 
Theoretical efficiency is defined as [5]: 
1. D/ B rJ = lm--------------
D-7= E{ #block cipher operation forD bits} (6-1) 
Here the denominator is the expected number of block cipher operations required 
for the encryption of D bits. The numerator represents the number of blocks 
77 
corresponding to the encryption of D bits. The theoretical efficiency represents a rate at 
which the stream cipher can encrypt compared with the rate of the block cipher. 
For OFB mode, 1J can be 1 because all B output bits of the block cipher can be 
used in the stream cipher keystream. For CFB mode, if it is guaranteed to resynchronize 
from individual bit slips, CFB must have m = 1. Then 1J = liB << 1. That is the reason 
why the CFB mode is a very inefficient mode and why an investigation of SCFB mode 
and OCFB mode is of interest. 
• Synchronization Recovery Delay (SRD) 
The SRD is defined as the expected number of bits between the synchronization 
loss and resynchronization. It is a measure of the recovery speed from the sync loss. It is 
worth noting that the SRD does not include the lost bits and there is no explicit 
specification on the number of bits lost in the slip [5]. 
• Error Propagation Factor (EPF) 
The EPF measures the bit errors on the output of the decryption when a bit error 
occurs in the communication channel. It is a metric to examine the influence of a bit error 
on the data recovered. It is defined as the bit error rate of the plaintext recovered by the 
decryption system divided by a bit error rate in the communication channel [5]. 
6.2 Performance Analysis of SCFB Mode 
The performance analysis on SCFB mode is presented in [5]. However in order to 
provide the background and to compare it with OCFB mode, it is repeated below. 
78 
6.2.1 Theoretical efficiency 
The theoretical efficiency is used to indicate that the rate at which the block 
cipher must operate to avoid data growing without bounds in PQ. For SCFB mode, the 
ciphertext bits in the communication channel can be categorized as shown in Figure 6.1. 
In the figure, n represents then bit sync pattern, B represents the B bit IV and k represents 
the number of bits following IV until the sync pattern occurs, which is referred to as OFB 
block. A synchronization cycle consists of the data bits from the beginning of the sync 
pattern to the beginning of the next sync pattern. Hence, the size of the synchronization 
cycle is equal to n+B+k. Because k is the amount of data before the sync pattern is found, 
k is a random variable and decided by a probability distribution dependent on the sync 
pattern used (e.g. 1111..11, or 1000 .. 00, etc.). Assuming that 0 and 1 have equal 
probability in ciphertext and each n-bit sequence is independent, then the distribution of k 
is geometric and the probability of a particular sync pattern is 1/2n . 
....... , n B k B 
Figure 6.1 Synchronization cycle 
Strictly, the distribution of k is related to the sync pattern used (e.g. 11...11, or 
10 ... 00, etc) and not the geometric distribution because each n-bit sequence is not 
independent but overlaps n-1 bits of adjacent sequences when checking for the sync 
pattern. However we use the geometric distribution for k as an approximation [5]. 
Hence, the probability of a particular n-bit sync pattern is 1/2n and the probability 
distribution of k is 
79 
(6-2) 
As a result, the expected value of k is 
(6-3) 
and the second moment of k is 
(6-4) 
The expected synchronization cycle size is 
J1 = n + B + 2n -1 . (6-5) 
It is always true that n+B +k = a B+O where a and o are integers and o <B. 
Hence, the block cipher has to run (a +1) block encryptions to produce enough 
keystream to encrypt a B+ 0 plaintext bits and the running rate of the block cipher 
should be greater than the rate of straight block encryption. From the equation (6-1), we 
can get 
E{sync cycle size}/B 
1J = E{#block cipher operations per sync cycle} (6- 6) 
This leads to 
fl/B 1J = -~---'------- (6- 7) 
2: p(k) ·I (k +n+ B)/ Bl 
k=O 
By deduction, we can get that I] becomes a function of nand B [5]: 
80 
j.t/B 
(6- 8) 
Figure 6.2 shows the relationship between sync pattern size n and theoretical 
efficiency fJ with 64, 128, and 256 bits block. It is obvious that all the theoretical 
efficiencies are greater than 50%. This is because at least one full block is used in each 
synchronization cycle since B bits are associated with the IV. Therefore, the theoretical 
efficiency of SCFB mode is much better than CFB mode. With the increases of the sync 
pattern size, the theoretical efficiency gets larger. For larger n, the stream cipher can be 
run at a rate very close to the rate of straight block encryption as the theoretical efficiency 
approaches 1. Because large n has lower the occurring probability than small n, most bits 
in the synchronization cycle belong to OFB block. This causes the SCFB mode with large 
n mainly running as OFB mode. Hence, SCFB mode with larger n can attain much higher 
theoretical efficiency. The graph also demonstrates that the theoretical efficiency is lower 
when block length B is larger. The efficiencies are still much higher than conventional 
CFB mode and are close to 1. 
6.2.2 SRD 
SRD of SCFB mode is tested by experiment and the result is shown in Figure 6.3 
which is plotted as the logarithm base-2 of the SRD. From the figure, it can be seen that 
SRD is approximately 2n for large n (n 2: 10). For small n (n ~ 4), there is a situation that 
the probability of a slip occurring near the end of the OFB block is much higher than the 
81 
case of n ~ 4. Hence, it is more likely that the receiver will interpret the next valid sync 
pattern bits as part of the false IV and will ignore them. As a result, resynchronization 
will be delayed until the next proper sync pattern. If misinterpretation happens several 
times, it will cause higher SRD. Unfortunately as can be seen from the figure, this 
phenomenon is prevalent for small n. The experimental results are obtained under the 
condition that the sync pattern chosen is of the form of 100 ... 00, 109 bits are encrypted 
and the probability of a bit slip rate is 10·5. The Rijndael algorithm is used as the block 
cipher with a block length of 128 bits. 
1.2 
~ 
r::: Q) 
~ 0.8 
w 
iij 0.6 
1.1 
ti 0.4 g 
..r::: 0.2 
1-
-+- B = 64 bits 
-B = 128 bits 
B = 256 bits 
0 2 3 4 5 6 7 8 9 10 11 12 
Sync Pattern Size 
Figure 6.2 Theoretical efficiency vs. sync pattern size 
6.2.3 EPF 
In this section, the characteristics of EPF are examined. Figure 6.4 illustrates the 
experimental results which assume that the error probability is 10-5, 109 bits are encrypted 
in the experiment and errors are randomly generated in the communication channel. It is 
clear that EPF is a function of n with fixed block length. The position in which an error 
82 
occurs in the synchronization cycle has a great influence on EPF [5]. The two basic cases 
are: 
• If the error happens in n+B bits of synciiV block, the synchronization will 
be lost and (n+B+k) I 2 bits are the expected error. 
• If the error happens in k bits of the OFB block and no false sync occurs, 
only one bit error can be caused at output of decryption. 
When the value of n is small, there is a higher possibility that the error will 
happen in n+B bits necessary to cause missing of the sync pattern or the incorrect IV. 
That will cause EPF to be higher when n is small. As n is getting larger, most bits in the 
synchronization cycle belong to OFB block and most errors happen in the OFB block, 
which makes EPF relatively lower. EPF of SCFB mode is on the same order as for CFB 
mode (EPF = B I 2) and is higher than that of OFB mode (EPF = 1). 
6.2.4 Practical Efficiency of SCFB Mode 
The theoretical efficiency is an ideal efficiency and represents the upper bound of 
efficiency [5]. In reality, the addition of queuing and the method of implementation have 
a great influence on system efficiency. "Full-queue efficiency" represents the system 
efficiency while PQ has data to process. It is the efficiency at which the system operates 
at its peak rate. Assume a is the full queue efficiency and R is the rate at which bits enter 
the PQ in bits per unit time, the system will remove bits from the queue in blocks of B 
bits at a rate of (11 a) x RIB blocks per second if there are more than B bits in the queue. 
50% efficiency implies that for every B bits entering the queue, 2B bits are removed from 
the queue to XOR with the keystream. 
83 
16 
14 
12 
c~ 10 
a: 
~ 8 Cl g 6~~~~~ 
4 
2 
0 
2 4 6 8 10 12 14 
Sync Pattern Size 
Figure 6.3 Synchronization recovery delay vs. sync pattern size with B = 128 
140 
120 
100 
LL 80 
c. 
w 60 
40 
20 
0 
2 4 6 8 10 12 
Sync Pattern Size 
Figure 6.4 Error propagation factor vs. sync. pattern size with B = 128 
"Average efficiency" is greater than full-queue efficiency. Because the average 
efficiency represents the average rate at which system operates including the period that 
the PQ has fewer than B bits and the system has to wait and the period that the PQ has 
more than B bits. If the system is stable, the full-queue efficiency must be less than the 
average efficiency and the average efficiency must be less than the theoretical efficiency 
[5]. 
84 
6.2.5 Relationship Between Buffer Size and Overflow Probability 
In this section, the requirement on buffer size in the practical implementation of 
SCFB mode is investigated experimentally. The experiment is based on the Rijndael 
algorithm and the 8-bit sync pattern of "10000000". Figure 6.5 shows that the probability 
of overflow is a function of buffer size with 78.1 %, 84.4%, and 90.6% full-queue 
efficiency, respectively. In theory, the system can attain the efficiency of 91.1% but it is 
clearly seen that the system will suffer from significant buffer overflow even for a buffer 
size up to 512 bits. 
--+-Full-queue efficiency = 78.1% 
-111- Full-queue efficiency = 84.4% 
Full-queue efficiency = 90.6% 
0.12 
~ 0.1 0 
'E 
~ 0.08 
0 
- 0.06 0 
~ 
:c 0.04 
C!l 
..c 
0 0.02 ... 
c.. 
0 
,rvco ,ro<:::J ...._O;rv rvrf rv'<:Jro rv<oco ~rv<:;:, ~'<:Jrv ~co"> ">"ro .j<co ">co<:::J '<:J"rv 
Buffer Size 
Figure 6.5 Probability of overflow vs. buffer size with Rijndael 
It is noteworthy that the system will not overflow for a buffer size of B with 50% 
efficiency. With this efficiency the block cipher is being run at two times the rate of 
incoming bits of PQ. Hence, even for the worst case that block cipher needs two 
complete encryptions to finish the encryption of B + l (n ~ l ~ B) bits when sync pattern is 
found. Hence, it is guaranteed that no overflow will occur for 50% efficiency with B bit 
buffers and delay exactly B bits times. 
85 
6.2.6 Relationship Between Encryption Efficiency and Overflow 
Probability 
Figure 6.6 shows that the probability of overflow is a function of the full-queue 
efficiency with fixed buffer size. The probability of overflow increases dramatically with 
the increase of the full-queue efficiency. In the figure, the buffer size is fixed at 192, 224, 
or 256 bits and the block cipher uses the Rijndael algorithm. As expected the probability 
of overflow will get higher as the buffer size is smaller. 
6.3 Performance Analysis of OCFB Mode 
6.3.1 Theoretical Efficiency 
In this thesis, the efficiency of OCFB mode does not adopt the definition in [13]. 
Because the efficiency of OCFB mode needs do comparison with the result of SCFB 
mode, I adopted the definition of the efficiency that [5] provided. The differences of these 
two efficiencies lie on that the efficiency in [13] is absolute efficiency and the efficiency 
in [5] is comparative efficiency. 
For OCFB mode, the ciphertext transmitted in the communication channel can be 
categorized as illustrated in Figure 6.7. In the figure, n represents the size of the sync 
pattern and k represents the length of data without the sync pattern. A synchronization 
cycle is referred to as a set of bits from the beginning of the sync pattern to the beginning 
of the next sync pattern. Because OCFB mode checks for the sync pattern at anytime, 
there is no B-bit new IV block in the synchronization cycle as in SCFB mode. Hence, a 
synchronization cycle consists of n + k bits. 
86 
Because k is the amount of data before the sync pattern is found, k is a random 
variable decided by the probability distribution dependent on the sync pattern used (e.g. 
1111..11, or 1000 .. 00, etc.). Assuming that 0 and 1 have equal probability in ciphertext 
and each n-bit sequence is independent, then the distribution of k is geometric and was 
already given in the equation (6-2). The corresponding expect value of k and the second 
moment of k have given in the equation (6-3) and (6-4). The probability of a particular 
sync pattern is 1/2n. 
-Buffer Size= 192 bits 
-+-Buffer Size = 224 bits 
Buffer Size= 256 bits 
Full-Queue Efficiency 
Figure 6.6 Probability of overflow vs. efficiency with Rijndael 
n k k 
Figure 6.7 Synchronization cycle of OCFB mode 
Strictly, the distribution of k is not the geometric distribution because each n-bit 
sequence is not independent but overlaps n-1 bits of adjacent sequences when checking 
87 
for the sync pattern. However we use the geometric distribution for k as an 
approximation. Hence, the expected synchronization cycle size f.1 is: 
(6-9) 
From the basic definition of theoretical efficiency (6-1), the equation below can 
be derived 
E{sync cycle size}/ B 
17 
= E{#block cipher operations per sync cycle} 
It is easy to deduce that: 
f-l/B 17 = _00 __ ...;....__ __ _ 
LP(k)· !Ck+n)!Bl 
k=O 
Following the approach in [5], the following equation can be deduced 
17 = (1-l/ 2n)B-n+l 1 + --'---------'---::-
= 
1- (1-l/2n )8 
(n+2n -1)/ B 
(1-1 / 2n )B-n+l 
1+-----=-
1-(1-l/2nl 
(6-10) 
(6-11) 
(6-12) 
From equation (6-12), it can be seen that theoretical efficiency is converted to a 
function of n and B. This equation is plotted in Figure 6.8 with the block size of 64, 128, 
and 256 bits. It is obvious that the theoretical efficiency increases with the increase of the 
sync pattern size. For large n, the efficiency can approach 100% implying that OCFB 
88 
mode can obtain high efficiency. However, for small n, the efficiency is close to 0, which 
results from the system continuously resynchronizing. 
If the size of the sync pattern is larger than 4 whenever B is 64, 128 or 256 the 
theoretical efficiency is definitely higher than the efficiency of CFB mode. For n = 8, the 
theoretical efficiencies are 89.1 %, 79.6%, 64.4% for 64, 128, and 256 bit blocks, 
respectively. This is much better than the efficiency of CFB mode which is 1/128 and is 
approaching the efficiency of 100% for OFB mode. 
-+- 8 = 64 bits 
----8 = 128 bits 
8 = 256 bits 
~ 1.2 
c 
.!!! 1 
.!:! ffi 0.8 
- 0.6 .~ 0.4 ~ s 0.2 
.: 0 
0 
~,-· 
~-----/  
// 
....- ... 
Ln,'i""'~ -r-
2 3 4 5 6 7 8 9 10 11 12 
Sync Pattern Size 
Figure 6.8 Theoretical efficiency vs. sync pattern size 
6.3.2 SRD 
The resynchronization properties of OCFB mode are examined experimentally. 
As described above, SRD is used to measure the speed of recovery from bit slips. The 
relationship between SRD and sync pattern size is illustrated in Figure 6.9 using a plot of 
the logarithm base-2 of SRD. 
89 
16 
14 
12 
c 10 
a: 
~ 8 (!) 
g 6 
4+----~ 
2+-~..;.;;_~ 
0 +-----r_,;.w 
2 4 6 8 10 12 14 
Sync Pattern Size 
Figure 6.9 Sync Recovery Delay vs. Sync Pattern Size (B=128) 
The simulation is run under the condition that the probability of a bit slip is 10-5 
and 109 bits are encrypted. It is assumed that there are no multiple bit slips. In the figure, 
the SRD is increased exponentially with the increase of n. SRD is approximately 2n when 
n ~ 10. When n < 10, SRD is larger than 2n. This is because the sync pattern with small n 
has higher frequency in ciphertext data than large n. The probability that bit slips occur in 
the sync pattern to cause missed synchronization is much higher than the cases with large 
n. But compared with SCFB mode, SRD of OCFB mode with small n is lower. 
6.3.3 EPF 
It is important to analyze the variety of situations where errors occur before the 
effect of error propagation factor (EPF) to the communication system is analyzed. There 
are two likely situations according to the effect of error. 
90 
• If the error happens in sync pattern, it will cause missing synchronization 
until the next correct sync pattern occurs. The average number of bit errors 
are (n+k)/2. 
• If the error happens not in sync pattern but no false sync pattern is 
generated, it will cause only one bit error at the receiver. 
The error propagation factor is examined experimentally and the results are 
shown in Figure 6.10. The simulation results are obtained with Pe = 10-5• In this figure, 
EPF becomes a function of n when B = 128. There are two main factors to affect the 
value of EPF. One is the probability of the sync pattern occurring in ciphertext and the 
other is the position where error occurs in the synchronization cycle. The probability of 
the sync pattern represents the recovering capability of the system from an error in the 
sync pattern. The position where error occurs influences on the number of error bits 
according to the discussion above. When the value of n is small, there is a higher 
possibility that the error happens in n-bit sync pattern to cause missing of the sync 
pattern. However, it has stronger capability on recovering from error because the 
probability of the sync pattern with small n is higher than that of the sync pattern with 
larger n. Due to the frequent resynchronization for the system with small n, EPF is 
reduced. As n is getting larger, the decreasing of the probability of the sync pattern 
reduces the capability of the system resynchronization, although the probability that error 
occurs in the sync pattern is also decreased. The result is EPF is generally about B I 2 = 
64. 
91 
72 
70 
68 
u.. 
D. 66 
w 
64 
62 
60 
2 4 6 8 10 12 
Sync Pattern Size 
Figure 6.10 Error propagation factor vs. sync pattern size with B = 128 
6.3.4 Practical Efficiency of OCFB Mode 
Practical efficiency of OCFB mode can be represented by eff = R I Re where R is 
the rate of data coming into PQ and Re is the rate of encryption of the block cipher. The 
ratio between R and Re can be adjusted to attain high efficiency. Since Re is constrained 
by current technology, R is constrained by Re. That means that the maximum throughput 
is constrained by the rate that a block encryption performs. Because of the serial transfer 
from PQ to CQ, the data rate R' leaving from the PQ needs to be considered. However 
data leaving PQ does not have regular data transfer rate because bits might be moved for 
some periods and bit transfer might stall for other periods. On average, data is moved 
from the PQ to the CQ at a rate less than R '. It makes sense that R' = Re and R' > R. It can 
be deducted that Re > R. Efficiency might approach 1 if all of outputs of the block cipher 
can be used to XOR a block of plaintext. However, if it is guaranteed that 
resynchronization can be regained from bit slips or bit errors, the partial block of the 
output of the block cipher would be used in the block following the sync pattern. 
92 
6.3.5 Relationship Between Buffer Size and Probability of Overflow 
The relationship between buffer size and the probability of overflow is 
investigated based on full-queue efficiency of 78.1 %, 84.4%, and 90.6%. The 
experimental results with Rijndael based on sync pattern "10000000" are shown in Figure 
6.11. It is quite straightforward to note that the probability of overflow is lower when the 
buffer size is larger. It is noteworthy that OCFB mode requires much more buffer size 
than SCFB mode. From the figure, it can be seen that it is easy to overflow with the high 
efficiency even with the larger buffer size. In order to achieve the smallest probability of 
data loss, modest efficiency and larger buffer sizes are recommended for OCFB mode. 
For lower probability of overflow, OCFB mode still can obtain relatively high efficiency 
compared with CFB mode. 
--+--Full-queue efficiency= 78.1% 
-Full-queue efficiency= 84.4% 
Full-queue efficiency= 90.6% 
Buffer Size 
Figure 6.11 Probability of overflow vs. buffer size with Rijndael 
93 
6.3.6 Relationship Between Encryption Efficiency and Probability of 
Overflow 
The relationship based on Rijndael between encryption efficiency and probability 
of overflow is illustrated in Figure 6.12. From this figure, it can be seen that the 
probability of overflow approaches 0 when efficiency is below 50% whether the buffer 
size is 192, or 224, or 256. Hence, OCFB mode with high efficiency requires much more 
buffer size in order to minimize the probability of overflow. The probability of overflow 
appears to exponentially follow the increase of efficiency. As expected, large buffer size 
will provide lower probability of overflow for a given efficiency. 
0.18 
0.16 
0.14 
0.12 
0.1 
0.08 
0.06 
0.04 
0.02 
0 . 
-Buffer Size = 256 bits 
-Buffer Size = 224 bits 
--Buffer Size = 192 bits 
"" rt' coco (l.<o ro" rt' ~co !P "" -"<o lbco (l.<o ro" (l.co <:>" (1.'-' ,..._co ro~ ~" ~OJ ~ro ~<:> e>· l><<o 9:J<:> l><<:S ~ e>· .,ro ~ ~ '>~ <oco ~ x,OJ co\:J co~ OJ" ()· ()· ()· ()· ()· ()· ()· ()· ()· ()· 
Fuii_Queue Efficiency 
Figure 6.12 Probability of overflow vs. efficiency with B = 128 
94 
6.4 Performance Comparison between SCFB Mode and 
OCFB Mode 
6.4.1 Theoretical efficiency 
It is known that both SCFB mode and OCFB mode can achieve high efficiency as 
shown in Figure 6.2 and Figure 6.8. However, the difference between them is obvious. 
SCFB mode achieves at least 50% theoretical efficiency and highest efficiency can arrive 
to 100%, but the theoretical efficiency of OCFB mode can vary from 0% to 100%. This 
difference is decided by the characteristics of these two modes. SCFB mode does not 
check for the sync pattern in IV after the sync pattern is found. This makes SCFB mode 
at least use one full block, B bits, in one synchronization cycle, n+B+k. OCFB mode 
checks each n bits for the sync pattern without exception, even in IV. The frequency of 
resynchronization occurring greatly influences the theoretical efficiency of OCFB mode. 
If the sync pattern occurs frequently, the system is busy resynchronizing. This makes the 
theoretical efficiency of OCFB mode decreased and close to 0% for small value of n. 
However, it is possible to obtain high efficiency for OCFB mode by increasing the size of 
the sync pattern. 
6.4.2 SRD 
SCFB mode and OCFB mode have a similar trend shown in Figure 6.13 in SRD 
when the sync pattern size n is increased. However, SCFB mode has much higher SRD 
than OCFB mode when n ~ 6. This indicates that OCFB mode recovers more quickly 
from the loss of synchronization because OCFB mode checks all ciphertext for the sync 
pattern. As mentioned before, the possibility that a bit slip occurs in the first n+B bits of a 
95 
sync cycle is higher when n is small than when n is large. This will lead to either missed 
resynchronization or wrong IV at receiver. Because SCFB mode does not check the sync 
pattern in IV block after the sync pattern is recognized, this phenomenon results in SCFB 
mode needing a longer time to recover for small n. 
-+-SCFB_MODE --11--0CFB_MODE 
16 
14 
12 
iS 10 
a: 
(/) 8 ._. (!) 
0 6 
..J 
4 
2 
0 
2 4 6 8 10 12 14 
Sync Pattern Size 
Figure 6.13 Sync recovery delay vs. sync pattern size with B = 128 
6.4.3 EPF 
From Figure 6.14, EPF of OCFB mode is better than EPF of SCFB mode whether 
the sync pattern size is small or large. This can be explained by the property of OCFB 
mode which checks sync pattern in all ciphertext whether or not it is the first n+B bits of 
a sync cycle. This property gives OCFB mode a fast resynchronization. Another result 
from Figure 6.14 is that when n is small SCFB mode has a much higher EPF. This is 
because false synchronization due to bit errors is prevalent when n is small and SCFB 
will take much longer to resynchronize in these circumstances. Hence, the influence of 
errors on OCFB mode is smaller than on SCFB mode. 
96 
--+-- OCFB_MODE - SCFB_MODE 
140 
120 
100 
LL 80 
c. 
w 60 
40 
20 
0 
2 4 6 8 10 12 
Sync Pattern Size 
Figure 6.14 Error propagation factor vs. sync pattern size with B = 128 
6.4.4 Relationships Between Probability of Overflow and Buffer Size 
To clearly compare the relationship between probability of overflow and buffer 
size of SCFB mode and OCFB mode, Figure 6.15, Figure 6.16, and Figure 6.17, Figure 
6.18, are presented. 
-+- SCFB rrode ---- OCFB rrode 
Buffer size 
Figure 6.15 Probability of overflow vs. buffer size with full-queue efficiency= 50% 
97 
--+-SCFB mode -11-0CFB mode 
Figure 6.16 Probability of overflow vs. buffer size with full-queue efficiency= 78.10% 
--+-SCFB mode --OCFB mode 
oo N m o ~ oo N m o ~ oo 
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Buffer size 
Figure 6.17 Probability of overflow vs. buffer size with full-queue efficiency= 84.40% 
~ 0.2 i 0.15 
; 0.1 
:s 0.05 
_g 
e o 
D.. 
--+-SCFB mode --OCFB mode 
~ ~ ~ 8 ~ , ~ ~ ~ ~ ~ 
~ ~ ~ N N ,~ N N M M M 
Buffer size 
Figure 6.18 Probability of overflow vs. buffer size with full-queue efficiency= 90.60% 
98 
As explained previously for SCFB mode, Figure 6.15 tells us that 50% efficiency 
with B bit buffer size guarantees the system does not have any buffer overflow. It can 
also be seen from Figure 6.15 that OCFB mode suffers from higher probability of 
overflow than SCFB mode when full-queue efficiency is 50% and buffer size is 128 bits. 
The probability of buffer overflow is decreased with the increase of buffer size. When 
buffer size is 256 bits, the probability of buffer overflow is close to 0. 
For the implementation of this thesis, 256 bit buffer size is applied although for 
SCFB mode at 50%, 128 bits would have been sufficient. There are several 
considerations. One consideration is that the system efficiency higher than 50% may be 
implemented. It requires larger buffer size to avoid buffer overflow. The second 
consideration is that OCFB mode requires more buffer size than SCFB mode under the 
same condition of efficiency and low buffer overflow. Hence, the selection of 256 bit 
buffer size is quite reasonable although for SCFB mode only a buffer of 128 bits is 
required. 
Figure 6.16, Figure 6.17, and Figure 6.18 further presents that SCFB mode 
requires significantly less buffer space than OCFB mode for the same probability of 
overflow. OCFB mode needs more buffer size because of its tendency towards more 
frequent resynchronization. 
6.4.5 Relationship Between Probability of Overflow and Efficiency 
Again, because of the frequent resynchronization of OCFB mode, when the 
probability of overflow is the same and the buffer size is fixed, the OCFB efficiency is 
significantly less than SCFB mode as shown in Figure 6.19, Figure 6.20, and Figure 6.21. 
99 
-+- OCFB rrode -111- SCFB rrode 
rP ~ c.. <o '\<o '\<o ~ r-,.<o c..<o c..<o ~ c.. <o 
'V(() !Dco <§> .._co 'V· ... co" co" ~ 'V'? [:)co 0)<>:> 
'VI((> 'V· 'V"':- 'V·' 'V· 'V~ 'Vo; 'V· 
Full-queue efficiency 
Figure 6.19 Probability of overflow vs. full-queue efficiency with B = 192 
-+- OCFB rrode -111- SCFB rrode 
0.2 ~~.,----·--··-------~,_,.,..~ 
0.15 
0.1 
0.05 
0 
rP ~ c..<o '\<o '\<o ~ r-,.<o '\<o c..<o ~ c..<o 
'V(() co<oco (()co -""co 'V· "'co" cp" ~<>:> 'V'? n.'Vco "cp<>:> 
'V· 'V 'V· 'V· 'V 'V· 'V'P v 
Full-queue efficiency 
Figure 6.20 Probability of overflow vs. full-queue efficiency with B = 224 
~ 
0 
~ 0.2 
0 0.15 
0 0.1 
>-= 0.05 
:c 0 
~ 
£ 
-+- OCFB rrode -111- SCFB rrode 
Full-queue efficiency 
Figure 6.21 Probability of overflow vs. full-queue efficiency with B = 256 
6.5 Conclusion 
This chapter analyzes the performance of SCFB and OCFB modes with respect to 
the theoretical efficiency, the synchronization recovery delay, and the error propagation 
100 
factor. In addition, the relationships between efficiency, probability of buffer overflow, 
and buffer size, are investigated. It is definite that both modes can obtain higher 
efficiency than CFB mode. From the above analysis, it is concluded that OCFB mode can 
obtain better error propagation and synchronization recovery delay than SCFB mode. 
However, SCFB mode is able to achieve higher efficiency with a given buffer size and 
lower probability of buffer overflow than OCFB mode. Furthermore, SCFB mode can 
guarantee that the system with 50% efficiency and B bit buffer size would have no buffer 
overflow. OCFB cannot guarantee no overflow for any level of efficiency. 
Hence, SCFB mode is more suitable for high speed physical layer security than 
OCFB mode. 
101 
Chapter 7 
Conclusions and Future Work 
7.1 Summary of the Research 
This thesis investigates two modes of operation, Statistical Cipher Feedback 
(SCFB) mode and Optimized Cipher Feedback (OCFB) mode. These two modes can 
configure a block cipher to operate as a stream cipher and are categorized as self-
synchronizing stream ciphers. 
SCFB mode improves efficiency over CFB mode by turning into OFB mode and 
working as OFB mode most of time. SCFB mode also achieves the ability of self-
synchronization by checking for the sync pattern in ciphertext and turning into CFB 
mode to periodically obtain the IV after the sync pattern is found. SCFB mode is 
implemented in software to analyze the characteristics of synchronization recovery delay, 
error propagation factor and the relationship between buffer size, probability of overflow, 
and full-queue efficiency. In addition, design and hardware implementation of SCFB 
mode was considered by using the Synopsis tool with 0.18 J.tm CMOS technology to 
study the timing issues and hardware properties. In order to compare the performances of 
SCFB mode and OCFB mode and the influences of the different methods of hardware 
implementation on SCFB mode and OCFB mode, our SCFB mode implementation 
adopts a parallel transfer method to encrypt a block of data and then store it into the 
ciphertext queue. For simplicity, the implementation of SCFB mode in this thesis only 
102 
has approximately 10% efficiency. The key generation part is sitting in an idle state most 
of time due to the usage of the same clock in the system to drive the block cipher and 
data transfer. This situation can be changed by using different clocks to drive the block 
cipher and the data transfer into and out of the system. Since, for a higher efficiency, the 
block cipher clocking must be slower, it is simple to derive a slow block cipher clock 
from the data link clock, thereby increasing efficiency. Thus the time of generating the 
keystream can be extended which will shorten the idle time and improve the efficiency of 
whole system. Parallel transfer would allow implementation of efficiency > 50%. The 
penalty with parallel transfer, however, is that a large amount of hardware is required. 
OCFB mode utilizes all of the output of the block cipher to XOR plaintext data to 
produce ciphertext to attain high efficiency and recognizes the sync pattern in ciphertext 
to synchronize the encryption system and the decryption system. The analysis of OCFB 
mode adopts the same analysis method as SCFB mode. OCFB mode has been 
implemented by software to study the performances of SRD, EPF, and the relationships 
between buffer size, full-queue efficiency and probability of overflow. Further OCFB 
mode has been designed and simulated in hardware by using the Synopsis tool with 0.18 
~m CMOS technology. The method of hardware implementation on OCFB mode uses the 
serial transfer from the PQ to the CQ. Serial transfer has relatively simple hardware 
components but suffers from difficulties on the timing relationship between key 
generation part, PQ, and CQ. The method of coordinating these three clock frequencies to 
improve the system efficiency becomes an important part in the implementation of OCFB 
mode. In this study, OCFB mode with 50% efficiency is implemented in hardware. 
103 
The analysis of the performances of OCFB mode and SCFB mode reveal that 
under the same probability of overflow SCFB mode requires significantly less buffer size 
compared with OCFB mode. With the same buffer size and probability of overflow, 
SCFB mode can achieve higher efficiency than OCFB mode. However, due to the 
characteristic that SCFB mode does not check for the sync pattern in the B-bit IV 
collection phase, SCFB mode has the relatively large SRD compared with OCFB mode. 
As well, SCFB mode has a marginally higher EPF than OCFB mode. SCFB mode can 
obtain at least 50% theoretical efficiency without any buffer overflow and up to close to 
100% efficiency with some buffer overflow. OCFB mode can achieve the efficiency from 
0 to approximately 100% but always suffers from some buffer overflow. 
The parallel implementation method of SCFB mode provides the simple timing 
relationship and the lower requirement on buffer size but has complicated hardware 
implementation. Serial implementation method of OCFB mode simplifies hardware 
structure but increases the complexity on timing issues and constrains efficiency to no 
higher than 50%. 
From the analysis and comparison of SCFB mode and OCFB mode, it can be 
concluded that SCFB mode and OCFB mode are quite similar modes except that OCFB 
mode checks the sync pattern all the time without any exception while SCFB mode does 
not check the sync pattern during the collection of the B-bit IV. Another difference 
between these two modes is that OCFB mode always accepts ciphertext as the input of 
the block cipher but SCFB mode turns into CFB mode from OFB mode according to the 
occurrence of the sync pattern. This property of SCFB mode gives an attacker an 
104 
opportunity due to the birthday paradox because there is a possibility that IV is the same 
as one of the outputs of block cipher when SCFB mode works as OFB mode. However, 
this possibility is virtually negligible for a large block size such as 128 bits [5]. 
7.2 Suggestion for Future Work 
A number of directions can be taken for future work. SCFB mode can be 
implemented using serial transfer and the difference from parallel transfer can be 
compared in the future. The hardware implementation efficiency of SCFB mode can be 
improved by giving different clocks to drive data transfer and the block cipher. OCFB 
mode can be implemented using parallel transfer and the difference from serial transfer 
can be compared in the future. The hardware structures of SCFB mode and OCFB mode 
can be optimized and the area utilization can be improved by adding more constraints. 
Further hardware synthesis for these two modes can be done to fulfill the work of placing 
and routing in a real VLSI device. FPGAs technologies today provide flexible design, 
cost effective, reprogrammed capability compared with traditional fixed-logic ASICs. 
These features make FPGAs technology become key system-level technology. SCFB 
mode and OCFB mode can be implemented in FPGAs. Test on the real chip is required 
as the important step for the chip design. As well, the current used mode in reality and 
other new modes can be compared with SCFB mode and OCFB mode to select a better 
mode which can be applied for physical layer of high speed network. 
105 
References 
[1] National Institute of Standards and Technology, "Data Encryption Standard 
(DES)", Federal Information Processing Standard 46, 1997 
[2] National Institute of Standards and Technology, AES web site: 
csrc.nist.gov/encryption/aes 
[3] W. Stallings, Cryptography and Network Security, Prentice Hall press, 
second edition, 2003 
[4] A.J. Menezes, P.van Oorschot, and S.A. Vanstone, Handbook of Applied 
Cryptography, CRC Press, 1997 
[5] H. M. Heys, "Analysis of the Statistical Cipher Feedback Mode of Block 
Ciphers," IEEE Transactions on Computer, vol.52, no. 1, pp. 77-92, Jan. 
2003 
[6] 0. Jung, S. Kuhn, C. Ruland, and K. Wollenweber, "Enhanced Modes of 
Operation for the Encryption in High-Speed Networks and their Impact on 
QoS," ACISP 2001, pp. 344-359 
[7] J. Pitman, Probability, Springer-Verlag press, 1993 
[8] Canadian Microelectronics Corporation, Tutorial on CMC's Digital IC 
Design Flow, October 2002, Document ICI-096 
[9] Y. EI-Sayed, Performance Analysis, Design and Reliability of the Balanced 
Gamma Network, Ph.D. thesis, Memorial University, 1999 
[10] O.Jung and C. Ruland, "Encryption with Statistical Self-Synchronization in 
Synchronous Broadband Networks," Cryptographic Hardware and 
106 
Embedded Systems- CHES'99, Lecture Notes in Computer Science 1717, 
Springer-Verlag, pp. 340-352, 1999 
[11] F. Yang, H. M. Heys, "Implementation of Statistical Cipher Feedback 
Mode", NECEC conference, Dec. 2002 
[12] T. Ichikawa, T. Kasuya, and M. Matsui, "Hardware evaluation of the AES 
finalists," in Proc. 3rd AES Candidate Conference, New York, pp. 279-285, 
Apr. 2000 
[13] A.Alkassar, A. Geraldy, B. Pfitzmann, A-R. Sadeghi, "Optimized Self-
Synchronizing Mode of Operation," Fast Software Encryption Workshop -
FSE 2001, Yokohama, Japan, Apr. 2001. 
107 
Appendix A 
Waveforms of the Hardware 
Implementation of SCFB Mode 
The signals used in the waveforms are described below. 
Name of Signal Function 
/SCFB_ENCRYP _TEST_BENCHIRESET Reset the system 
/SCFB_ENCRYP _TEST_BENCH/CLK System clock 
/SCFB_ENCRYP _TEST _BENCH/SERIAL_IN Data bit incoming into PQ 
/SCFB_ENCRYP _TEST_BENCH/SERIAL_OUT Data bit outgoing from CQ 
/SCFB_ENCRYP _TEST_BENCH/IV 
/SCFB_ENCRYP _TEST_BENCH/PATTERN 
/SCFB_ENCRYP _TEST _BENCH/CV _IN 
/SCFB_ENCR YP _TEST _BENCH/tscfbO/found 
/SCFB_ENCRYP _TEST _BENCH/ tscfbO/num 
/SCFB_ENCRYP _TEST_BENCH/ 
tscfbO/ready _data 
/SCFB_ENCRYP _TEST_BENCH/ 
tscfbO/key _ready 
/SCFB_ENCRYP _TEST_BENCH/ tscfbO/subkey 
/SCFB_ENCRYP _TEST_BENCH/ 
tscfbO/Data_out 
108 
Initialization Vector 
Sync pattern 
Initial key 
The flag that the sync patter 
is found or not 
The number needed by the 
new IV 
The flag to sign that the 
new block of ciphertext data 
is ready 
The flag that the new block 
of keystream is ready 
The current keystream 
The current plaintext data 
sent out by the plaintext 
subsystem 
The waveforms of the encryption system 
109 
....... 
....... 
0 
/SCFB_ENCRYP_TEST_BENCHVCLK 
/SCFB_ENCRYP_TEST_BENCHVRESET 
/SCFB_ENCRYP _TEST _BENCH/SERIAL_IN 
/SCFB_ENCRYP _TEST _BENCHVSERIAL_OUT 
!> /SCFB_ENCRYP _TEST_BENCH/IV(127:0) 
r> /SCFB_ENCRYP _TEST_BENCH/PATTERN(7:D) 
!>- /SCFB_ENCRYP _TEST _BENCH/CV _IN(255:D) 
/SCFB_ENCRYP _TEST _BENCH/tscfbO/found 
1> /SCFB_ENCRYP _TEST _BENCH/tscfb0/num(7:0) 
0 
0 
FFDOAA550FF0330DFFCCOB332460777Bii FFOOAA550FF03300tFCCOB332460777B I 
80 
8525485254852548525485254852548525~~525495254952549525485254952549525 
0 
DO 
/SCFB_ENCRYP _TEST _BENCHVtscfbOfready_data ll 0 
/SCFB_ENCRYP _TEST _BENCHVtscfbOfkey_ready 
1> /SCFB _ ENCRYP _TEST _BENCHVtscfbO/subkey( 127:0) E8AAA6A 1301 03612470481 00070A 1 C06 pDDDDDOODOOOOOOOOOO* 8AAA6A 1301 036124* } 
1> /SCFB_ENCRYP _TEST _BENCHVtscfbOf0ata_out(127:0) OOOOOOOOOOOODOOOODOOOOOOOOOOOOOO OOOODOOOOOOOOOOO )000000000000000 !/jl 
1> fSCFB_ENCRYP _TEST _BENCHVtscfbO/ciphertext( 127:0) E8AAA6A 1301 03612470481 00070A 1 COG, pDDOOOOOOOOOOOOOOOO* 8AAA6A 1301 036124* , •..• 
........ 
........ 
........ 
/SCFB_ENCRYP_TEST_BENCH/CLK 
/SCFB_ENCRYP_TEST_BENCHIRESET 
/SCFB_ENCRYP _TEST _BENCH/SERIAL IN 
/SCFB_ENCRYP _TEST _BENCH/SERIAL_ OUT 
D>- /SCFB_ENCRYP _TEST _BENCH/IV(127:0) 
1> /SCFB_ENCRYP _TEST _BENCf-VPA TTERN(7:0) 
t> /SCFB_ENCRYP _TEST _BENCf-VCV _IN(255:0) 
/SCFB_ENCRYP _TEST _BENCf-VtsclbO/found 
t> /SCFB_ENCRYP _TEST _BENCf-VtsclbO/num(7:0) 
/SCFB _ ENCRYP _TEST_ BENCf-VtsclbO/ready _data 
Z58Z 
0 
0 
0 
FFOOAA550FF03300FFCCD833246D777 
80 
852549525495254952549525495254952 
0 
00 
/SCFB_ENCRYP _TEST _BENCf-VtsclbO/key _ready II o 
t> /SCFB_ENCRYP _TEST _BENCH/tsclbO/subkey(127:0) E8AAA6A 130103612470481 D0070A 1 
t> /SCFB_ENCRYP _TEST _BENCH/tsclb0/Data_out(127:0) 7478D47C6903628027E5DB756495FC13 
11> /SCFB ENCRYP TEST BENCf-VtsclbO/ciphertext( 127:0) 9CD272D0541 3549260315AA5639FEO 15 
- - - rr---~----------------------~ 
....... 
....... 
N 
/SCFB_ENCRYP_TEST_BENCHICLK 
/SCFB_ENCRYP_TEST_BENCHIRESET 
/SCFB_ENCRYP _TEST_BENCHISERIAL IN 
/SCFB_ENCRYP _TEST _BENCH/SERIAL_ OUT 
1> /SCFB_ENCRYP _TEST _BENCHIIV(127:0) 
1> /SCFB_ENCRYP _TEST _BENCH/PA TTERN(7:0) 
1> /SCFB_ENCRYP _TEST _BENCH/CV _IN(255:D) 
/SCFB_ENCRYP _TEST _BENCH/tsclbO/found 
1> /SCFB_ENCRYP _TEST _BENCH/tsclb0/num(7:0) 
/SCFB_ENCRYP _TEST _BENCH/tsclbO/ready_data 
0 
0 
FFODAA55DFF03300FFCCDB33246077781:1 
1
FFOOAA550FF03300FFCCtB332460777B fT 
80 
95254952549525495254952549525495251r52549525495254952549525f5~54952549525*1 
DE 
/SCFB_ENCRYP _TEST _BENCH/tsclbO/key_ready II 0 
11> /SCFB_ENCRYP _TEST _BENCH/tsclbO/subkey(127:0) 134F4AD15E5COOC9895BFF703F9E5449 t:ol-\1-\1-\oR 1.:>u 1 u.:>o 1 u+r -II.:>'+ '+RU 1 ::.t:::.L.uu~..-::~ · y 
1> /SCFB_ENCRYP _TEST _BENCH/tsclb0/Data_out(127:0) DOOOOOOOOOOOOOOODD00000000007F11 I7478D47C6903628027E5087 ~OOOOOOOOOOOOO* f 
1> /SCFB_ENCRYP _TEST _BENCHitsclbO/ciphertext( 127:0) 134F4AO 1 5E5CDDC9895BFF703F9E2858 j9CD2720054135492603*167* 1 34F 4AD 15E5CO* :l:i!i 
1--' 
1--' 
w 
[lie _Edit _Marker §oTo Y)ew 
/SCFB_ENCRYP_TEST_BENCHICLK 
/SCFB_ENCRYP_TEST_BENCHIRESET 
/SCFB_ENCRYP _TEST _BENCHISERIAL_IN 
/SCFB_ENCRYP _TEST_BENCHISERIAL_OUT 
1> /SCFB_ENCRYP _TEST_BENCHIIV(127:0) 
1> /SCFB_ENCRYP _TEST_BENCH/PATTERN(7:0) 
1> /SCFB_ENCRYP _TEST _BENCH/CV _IN(255:0) 
/SCFB_ENCRYP _TEST _BENCH/tscfbO/found 
1> /SCFB_ENCRYP _TEST _BENCH/tscfb0/num(7:0) 
0 
0 
FFOOAA550FF03300FFCCDB33246D77 
80 
9525495254952549525495254952549525~ll52549 
0 
00 
/SCFB_ENCRYP _TEST _BENCH/tscfbO/ready_data li 0 
/SCFB_ENCRYP _TEST _BENCH/tscfbO!key_ready 
1> /SCFB_ENCRYP _TEST _BENCH/tscfbO/subkey( 127:0) 7 A09F 1571 C98A6DA 79DF79C583FF3656 134F4AO 15E5CODC* 17 A09F 1571 C98A6DA 79D* '~ 
1> /SCFB_ENCRYP _TEST _BENCH/tscfbO/Data_ out( 127:0) 00000000000000000000000000007F 11 0000000000000 000000000000007F 11 
1> /SCFB_ENCRYP _TEST _BENCH/tscfb0/ciphertext(127:0) 7 A09F 1571 C98A6DA 79DF79C583FF 4947 134F4AO 15E5CODC"I7 A09F 1571 C98A6DA 79D* ~f' 
The waveforms of the decryption system 
114 
1--" 
1--" 
Vl 
Eile J;:dit Marker §oTo Window 
/SCFB_OECRYP_TEST_BENCHICLK 
/SCFB_OECRYP_TEST_BENCI-VRESET 
/SCFB_OECRYP _TEST _BENCHISERIAL_IN 
/SCFB_OECRYP _TEST _BENCH/SERIAL_ OUT 
!> /SCFB_OECRYP _TEST _BENCH/IV(127:0) 
!> /SCFB_OECRYP _TEST _BEN CHIP A TTERN(7:0) 
!> /SCFB_OECRYP _TEST _BENCHICV _IN(255:0) 
/SCFB_OECRYP _TEST _BENCI-VtsclbO/found 
0 
0 
0 
FFOOAA550FF03300FFCCOB332460777B 
80 
8000000000000000000000000000000000001 800000000000 000000000000000000000000* 
0 
,.._ /SCFB_OECRYP _TEST _BENCI-Vtsclb0/num(7:0) II 00 
/SCFB_OECRYP _TEST _BENCHitsclbO/ready_data 0 
/SCFB_OECRYP _TEST _BENCH/tsclbOikey_ready , 
!> /SCFB_OECRYP _TEST _BENCH/tsclb0/subkey(127:0) E8AAA6A 130103612470481 00070A 1 C06 00000000000* 8AAA6A 130103612470481 0*
1 
.•• 
1> /SCFB_OECRYP _TEST _BENCI-Vtsclb0/0ata_out(127:0) oooooooooooooooooooooooooooooooo 000000000 0000000000000000000000 k~ 
1> /SCFB_OECRYP _TEST _BENCI-VtsclbO/ciphertext(127:0) E8AAA6A 130103612470481 00070A 1 C06 00000000000* 8AAA6A 130103612470481 O*l 
"""'"' 
"""'"' 0\
/SCFB_OECRYP_TEST_BENCHICLK 
/SCFB_OECRYP _TEST _BENCH/RESET 
/SCFB_OECRYP _TEST _BENCH/SERIAL_IN 
/SCFB_OECRYP _TEST_BENCH/SERIAL_OUT 
1>- /SCFB_OECRYP _TEST _BENCHIIV(127:0) 
1>- /SCFB_OECRYP _TEST _BENCH/PATTERN(7:0) 
1>- /SCFB_OECRYP _TEST _BENCH/CV _IN(255:0) 
/SCFB_OECRYP _TEST _BENCH/tscfbOifound 
2560 
0 
0 
0 
FFOOAA550FF03300FFCCDB33246D777B 
80 
800000000000000000000000000000000 
0 
1>- /SCFB_OECRYP _TEST _BENCH/tscfbO/num(7:0) II 00 
/SCFB _ OECRYP _TEST _BENCH/tscfbO/ready _data 
/SCFB_OECRYP _TEST _BENCH/tscfbO/key_ready 0 
1>- /SCFB_OECRYP _TEST _BENCH/tscfb0/subkey(127:0) E8AAA6A 130103612470481 00070A 1 C06 
1>- /SCFB_OECRYP _TEST _BENCH/tscfb0/Data_out(127:0) 9CD272DD5413549260315AA5639FE015 
1> /SCFB_OECRYP _TEST _BENCH/tscfb0/ciphertext(127:0) 7478D47C6903628027E508756495FC13 
1-' 
1-' 
-..l 
[lie _Edit .Marker §o To YJew 
/SCFB_DECRYP_TEST_BENCHVCLK 
/SCFB_DECRYP_TEST_BENCHVRESET 
/SCFB_DECRYP _TEST_BENCH/SERIAL IN 
/SCFB_DECRYP _TEST _BENCHVSERIAL_OUT 
1> /SCFB_DECRYP _TEST _BENCHVIV(127:0) 
I> /SCFB_DECRYP _TEST_BENCH/PATTERN(?:O) 
t>- /SCFB_DECRYP _TEST _BENCH/CV _IN(255:0) 
/SCFB DECRYP TEST BENCH/tscfbO/found 
;moo 
0 
0 
FFODAA550FF0330DFFCCDB33246D777B 
80 
8000000000000000000000000000000000001 80000000000000000000 000000000000000* 
1> /SCFB=DECRYP =TEST =BENCH/tscfbO/num(?:O) II DE 
/SCFB_DECRYP _TEST _BENCH/tscfbO/read)!_data 
/SCFB_DECRYP _TEST _BENCH/tscfbO/key_ready 0 
1> /SCFB_DECRYP _TEST _BENCH/tscfb0/subkey(127:0) 134F4A015E5CODC9895BFF703F9E5449 
1> /SCFB_DECRYP _TEST _BENCH/tscfb0/Data_out(127:0) 00000000000000000000000000006B58 
1> /SCFB_DECRYP _TEST _BENCH/tscfbO/ciphertext( 127:0) 134F 4AO 15E5CODC9895BFF703F9E3F 11 
....... 
....... 
00 
/SCFB _ DECRYP _TEST_ BENCH/CLK 
/SCFB_DECRYP_TEST_BENCHIRESET 
/SCFB_DECRYP _TEST _BENCHISERIAL_IN 
/SCFB_DECRYP _TEST _BENCH/SERIAL_ OUT 
t»- /SCFB_DECRYP _TEST _BENCH/IV(127:0) 
t»- /SCFB_DECRYP _TEST_BENCH/PATTERN(7:0) 
11> /SCFB_DECRYP _TEST _BENCH/CV _IN(255:0) 
/SCFB_DECRYP _TEST _BENCHitsctbO/found 
0 
FFOOAA550FF03300FFCCD833246D7778 
t»- /SCFB_DECRYP _TEST _BENCH!tsctbO/num(7:0) II 00 
/SCFB_DECRYP _TEST _BENCH!tsctbO/ready_data 0 
/SCFB_DECRYP _TEST _BENCH!tsctbO/key_ready 
t»- /SCFB_DECRYP _TEST _BENCH/tsctbO/subkey( 127:0) 7 A09F 1571 C98A6DA 79DF79C583FF3656 
1> /SCFB_DECRYP _TEST _BENCH!tsctb0/Data_out(127:0) 00000000000000000000000000006858 
t»- /SCFB_DECRYP _TEST _BENCHitsctbO/ciphertext( 127:0) 7 A09F 1571 C98A6DA 79DF79C583FF5DOE 
0000000000000000000000000000* 
The plaintext data in the input file of the encryption system: 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
119 
The plaintext data recovered in the output file of the decryption system: 
00000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000 
00000000000000000000000000001111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
120 
Appendix B 
Waveforms of the Hardware 
Implementation of OCFB Mode 
The signals used in the waveforms are described below: 
Name of Signal 
/OCFB_ENCRYPT _TEST _BENCH/RESET 
/OCFB_ENCRYPT_TEST_BENCH/CLK1 
/OCFB_ENCRYPT_TEST_BENCH/ ten0/en0/CLK2 
/OCFB_ENCRYPT_TEST_BENCH/CLK3 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_IN 
/OCFB_ENCRYPT_TEST_BENCH/SERIAL_OUT 
/OCFB_ENCRYPT_TEST_BENCH/IV 
/OCFB_ENCR YPT _ TEST_BENCH/KEY 
/OCFB_ENCRYPT_TEST_BENCH/ tenO/key_done 
/OCFB_ENCRYPT_TEST_BENCH/ tenO/val 
/OCFB_ENCR YPT _TEST _BENCH/ tenO/plaintext 
/OCFB_ENCR YPT _TEST _BENCH/ tenO/en llk4/eq 
/OCFB_ENCR YPT _TEST _BENCH/ tenO/keystream 
/OCFB_ENCRYPT _TEST _BENCH/ 
ten0/en1/k4/cc 1/i_counter 
121 
Function 
Reset the system 
System clock 
Clock for Leaving from PQ 
and incoming to 
CQ 
Clock for block cipher 
Data bit incoming into PQ 
Data bit outgoing from CQ 
Initialization Vector 
Initial key 
Done signal for encryption 
of block cipher 
Validation of data 
Plaintext bit outgoing from 
PQ 
Flag for sync pattern 
Keystream bits 
Counter 
The waveforms of the encryption system 
122 
......... 
N 
VJ 
/OCFB_ENCRYPT _TEST _BENCH/RESET 
/OCFB_ENCRYPT _TEST _BENCH/CLK 1 
/OCFB_ENCRYPT _TEST _BENCH/CLK3 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_IN 
/OCFB _ENCRYPT_ TEST_ BENCH/SERIAL_ OUT 
11> /OCFB_ENCRYPT _TEST _BENCH/IV(127:D) 
11> /OCFB_ENCRYPT _TEST _BENCH/KEY(255:D) 
/OCFB_ENCRYPT _TEST _BENCH/tenD/key _done 
/OCFB _ENCRYPT_ TEST_ BENCH/tenD/val 
/OCFB_ENCRYPT _TEST _BENCH/tenD/plaintext 
D 
D 
D /OCFB_ENCRYPT _TEST _BENCH/tenD/en 1/k4/eq 
/OCFB_ENCRYPT _TEST _BENCH/tenD/keystream 
/OCFB_ENCRYPT _TEST _BENCH/tenD/en1/k4/cc1/i_counter 11111 
/OCFB_ENCRYPT _TEST _BENCH/tenD/ciphertext 
,.._.. 
N 
+:>. 
/OCFB_ENCRYPT _TEST _BENCH/RESET 
/OCFB_ENCRYPT _TEST _BENCH/CLK 1 
/OCFB_ENCRYPT_TEST_BENCH/CLK3 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_IN 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_ OUT 
1>- /OCFB_ENCRYPT _TEST _BENCH/IV(127:D) 
1>- /OCFB_ENCRYPT _TEST _BENCH/KEY(255:D) 
/OCFB_ENCRYPT _TEST _BENCH/tenD/key_done 
/OCFB_ENCRYPT _TEST _BENCH/tenD/val 
/OCFB_ENCRYPT _TEST _BENCH/tenD/plaintext 
D 
D 
D 
/OCFB_ENCRYPT _TEST _BENCH/tenD/en 1/k4/eq ll D 
/OCFB_ENCRYPT _TEST _BENCH/tenD/keystream II D 
/OCFB ENCRYPT_ TEST _BENCH/tenD/en 1/k4/cc 1/i_counter 118 
/OCFB_ENCRYPT _TEST _BENCH/tenD/ciphertext 
....... 
N 
Ul 
/OCFB_ENCRYPT _TEST _BENCH/RESET 
/OCFB_ENCRYPT _TEST _BENCH/CLK 1 
/OCFB_ENCRYPT _TEST _BENCH/CLK3 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_IN 
/OCFB _ENCRYPT_ TEST _BENCHISER I AL _OUT 
1> /OCFB_ENCRYPT _TEST _BENCI-VIV(127:D) 
1> /OCFB_ENCRYPT _TEST _BENCI-VKEY(255:D) 
/OCFB_ENCRYPT _TEST _BENCH/tenD/key_done 
/OCFB_ENCRYPT _TEST _BENCH/tenD/val 
/OCFB_ENCRYPT _TEST _BENCH/tenD/plaintext 
/OCFB_ENCRYPT _TEST _BENCH/tenD/en1/k41eq 
/OCFB _ENCRYPT_ TEST_ BENCH/tenD/keystream 
D 
D 
D 
D 
D 
D 
/OCFB_ENCRYPT _TEST _BENCI-VtenD/en1/k41cc1/i_counter ll11 9 
/OCFB_ENCRYPT _TEST _BENCI-VtenD/ciphertext 
......... 
N 
0\ 
/OCFB_ENCRYPT _TEST _BENCH/RESET 
/OCFB_ENCRYPT _TEST _BENCH/CLK 1 
/OCFB_ENCRYPT _TEST _BENCH/CLK3 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_IN 
/OCFB_ENCRYPT _TEST _BENCH/SERIAL_ OUT 
1> /OCFB_ENCRYPT _TEST _BENCH/IV( 1 Z7:D) 
1> /OCFB_ENCRYPT _TEST _BENCH/KEY(Z55:D) 
/OCFB_ENCRYPT _TEST _BENCH/tenD/key_done 
/OCFB_ENCRYPT _TEST _BENCH/tenD/val 
/OCFB_ENCRYPT _TEST _BENCH/tenD/plaintext 
/OCFB_ENCRYPT _TEST _BENCH/tenD/en1/k41eq 
/OCFB_ENCRYPT _TEST _BENCH/tenD/keystream 
D 
D 
D 
D 
D 
D 
/OCFB_ENCRYPT _TEST _BENCH/tenD/en1/k4/cc1/i_counter ll 119 
/OCFB_ENCRYPT _TEST _BENCH/tenD/ciphertext 
The waveforms of the decryption system 
127 
.......... 
N 
00 
file f.dit M_art<er .§oTo Ylew .Qptions '!'llndow 
~JIIIll!liifiilillllllll z+l z-IIIIE 
/OCFB_DECRYPT _TEST _BENCH/RESET 
/OCFB_DECRYPT_TEST_BENCH/CLKl 
/OCFB_DECRYPT_TEST_BENCHICLK3 
/OCFB_DECRYPT _TEST _BENCHISERIAL_IN 
/OCFB_DECRYPT _TEST _BENCH/SERIAL_ OUT 
1> /OCFB_DECRYPT _TEST _BENCH/IV(127:D) 
1> /OCFB_DECRYPT _TEST _BENCH/KEY(255:D) 
/OCFB_DECRYPT _TEST _BENCH/tenD/key_done 
/OCFB_DECRYPT _TEST _BENCH/tenD/val 
/OCFB_DECRYPT _TEST _BENCH/tenD/plaintext 
/OCFB_DECRYPT _TEST _BENCH/tenD/en1/k4/eq 
/OCFB_DECRYPT _TEST _BENCH/tenD/keystream 
D 
D 
D 
D 
/OCFB _DECRYPT_ TEST _BENCH/tenD/en 1/k4/cc 1/i_ counter I! 1 
/OCFB_DECRYPT _TEST _BENCH/tenD/ciphertext 
......... 
N 
10 
/OCFB_DECRYPT _TEST _BENCH/RESET 
/OCFB_DECRYPT _TEST _BENCH/CLK 1 
/OCFB_DECRYPT _TEST _BENCHICLK3 
/OCFB_DECRYPT _TEST _BENCH/SERIAL_IN 
/OCFB_DECRYPT _TEST _BENCH/SERIAL_ OUT 
t> /OCFB_DECRYPT _TEST _BENCHIIV(127:D) 
t> /OCFB_DECRYPT _TEST _BENCH/KEV(255:D) 
/OCFB_DECRYPT _TEST _BENCH/tenD/key_done 
/OCFB_DECRYPT _TEST _BENCH/tenD/val 
/OCFB_DECRYPT _TEST _BENCH/tenD/plaintext 
/OCFB_DECRYPT _TEST _BENCH/tenD/en1/k41eq 
/OCFB_DECRYPT _TEST _BENCH!tenD/keystream 
/OCFB_DECRYPT _TEST _BENCH/tenD/en1/k41cc1/i_counter 
/OCFB _DECRYPT_ TEST _BENCH/tenD/ciphertext 
D 
D 
D 
........ 
UJ 
0 
/OCFB_DECRYPT _TEST _BENCH/RESET 
/OCFB_DECRYPT _TEST _BENCH/CLK 1 
/OCFB_DECRYPT _TEST _BENCH/CLK3 
/OCFB_DECRYPT _TEST _BENCH/SER IAL_IN 
/OCFB_DECRYPT _TEST _BENCH/SERIAL_ OUT 
1> /OCFB_DECRYPT _TEST _BENCH/I V(127:D) 
1> /OCFB_DECRYPT _TEST _BENCH/KEY(255:D) 
/OCFB_DECRYPT _TEST _BENCH/tenD/key_done 
/OCFB_DECRYPT _TEST _BENCH/tenD/val 
/OCFB_DECRYPT _TEST _BENCH/tenD/plaintext 
D 
D 
D 
D 
D 
D /OCFB_DECRYPT _TEST _BENCH/tenD/en 1/k41eq 
/OCFB_DECRYPT _TEST _BENCH/tenD/keystream 
/OCFB_DECRYPT _TEST _BENCH/tenD/en1/k4/cc1/i_counter 11128 
/OCFB_DECRYPT _TEST _BENCH/tenD/ciphertext 
/OCFB_DECRVPT _TEST _BENCH/RESET D 
/OCFB_DECRVPT _TEST _BENCH/CLK 1 D 
/OCFB_DECRVPT _TEST _BENCH/CLK3 D 
/OCFB_DECRVPT _TEST _BENCH/SERIAL_IN D 
/OCFB_DECRVPT _TEST _BENCH/SERIAL_ OUT 
1>- /OCFB_DECRVPT _TEST _BENCH/IV(1 27:D) 
1>- /OCFB_DECRVPT _TEST _BENCH/KEV(255:D) 
....... /OCFB_DECRVPT _TEST _BENCH/tenD/key_done liD 
w 
....... /OCFB_DECRVPT _TEST _BENCH/tenD/val 
/OCFB_DECRVPT _TEST _BENCH/tenD/plaintext 
IOCFB _DE CRYPT_ TEST_ BENCHAena'en1/k4/cq r 
/OCFB_DECRVPT _TEST _BENCH/tenD/keystream D 
/OCFB DECRYPT TEST_BENCH!tenD/en1/k4/cc1/i_counter , 111 111 ! i!! 0; '111'1:1 :::::i: Cl 
/OCFB_DECRVPT _TEST _BENCH/tenD/ciphertext 
The plaintext data in the input file of the encryption system: 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
132 
The plaintext data recovered in the output file of the decryption system: 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
11111111111111111111111111111111111111111111111111 
133 


