In thin paper the derign of a high-rped cryptographic coprocerror in prerented Thin c o p m r r o r U named Subtetranean and can be w e d for both cryptographic preudorandom re nee generrrtwn (Subrtream) and ctyptogmphic h a n g g (Subha-nh). In Subrtream mode 
Introduction
Due to the increased possibilities for all kinds of communications among people by means of telephony, computers, broadcasting etc., the needs towards the protection and securit of the information being stored or transmitted have $0 increased in demand. This is required to avoid unauthorised accuu to all kinds of information ( d a t a -k , televbion programs, telecommunication etc. .. This has led to several methods tion. An overview of the field of cryptology is being pmsented in [l] The Subterranean coprocessor chip has been designed according to the algorithms developed by Daemen e.a. [3] . The chip can be used as a crypt* graphic pseudorandom sequence generator (CPRG) and a cryptographic hash function (CHF), respectively called Substream and Subhaah. Substream and Subhash are powerful primitives in the realisation of computer security. A CPRG can be used for confidentiality of stored or transmitted data by stream encryption [l]. A CHF is an indispensable component and algorithm t k at allow to protect such informaof practical data integrity, authentication and digital signature schemes [l] . Moreover, the security of many cryptographic protocolr depends on a CHF and unpredictable random bitr that can be produced by a CPRG [l] . In the proridin4 of security services, all bulk operations on large vanable-length flu, namely encryption and hashing, can be performed by the CO- processor.
Many of the cryptographic algorithms that have been developed are being ured in mftware implementations on computen (e. . to have protection of encoded paamwords for userr!. For low complexity trpe of applications, such U the protection of informahon in f l u and databases thia is probably the mart economic solution. A number of applications however require such high throughputs for the encryption/deuyption process that they cannot be executed on a normal general purpose microprocemor. These applications re uire dedicated ASIC implementations. A number oflardware implementations for cryptographic algarithms have been realised [e, 7, 8 For the key there are 2 options : hold and load. Every iteration a 16-bit value 2 is presented at the output.
We will now specify the updating, loading and output functions in detail.
The updating function At+1 = F,(A',K') can be considered as a 5-step transformation of the internal state A. In the following, all indices should be taken modulo 257, V means OR and 8 means XOR.
Step 1 : ai = ai 8 (ai+l v a i + z ) , 0 5 i < 257
Step2: -= &
Step 3 : ai = cri 8 cri+3 8 &+a,
Step 4 : ai =ai 8 ki-1,
Step 5 : ai = aiZ*i, 0 i < 257 Figure 1 clarifies how the five steps of F, contribute to the calculation of one statebit.
Step 1 is a nonlinear cellular automaton (CA) operation where each bitvalue ai is U dated according to the bitvalues in its neighborhood [n this step and step 3 periodic boundary conditions apply).
Step 2 consists merely of complementing 1 bit to eliminate circular symmetry in case all statebits are 0.
Step 3 is a linear CA operb tion. In step 4 the actual keybits are injected in A.
Step 5 is a dispersing bit permutation. The length of A is 257 (a prime) to make step 1 and 3 invertible and to avoid circular symmetric patterns in A. 
Informally, the cryptographic claim can be formulated as follows: Substream cannot be distinguished from a binary symmetric source by an adversary not in possession of the key.
Subhash
The system is initialized by resetting the internal state and making sure that the keyregister contains only 0-bits. The (padded) message b loaded into the keyregister 32 bits at a time while the finite state machine Suppose we want to calculate the hash result Hs of a bbit mesasge u s i q Subhaah. Here b may be any inte I. Before harhing, the messsge has to be padded 80 t c t its length M a multiple of 32.
Padding of the meruage
The message is extended with a number p of O-bits so that its length in bits is a multiple of 32 and The Hash Rerult is defined by HoHl . . . Hl5.
Subhash is claimed to be collision-free: it should be computationally inhsible to come up with two messages that hash to the aame result.
Chip Realilsation 3.1 Overall Functionality
The design has been rcalired in such a way as to fit in a 40 pin package. This required multiplexing information from different sources as well as bidirectional busses.
In Substream mode a parallel input of 10 bit words as well as a simultaneous parallel output of 10 bit words is provided at the speed of the overall dock.
In Subhash mode a pwallel input of 32 bit words is provided a the speed of the overdl clock.
The 256 bit keywords can be entered in 8 consecntive pieces of 32 bits in parallel.
A tree like clock distribution network haa been d o signed in order to have an equal balancing of the clocb among all of the registers in the circuit.
MPC Service
The algorithm of Subterranean has been implemented in an integrated circuit. This has been done in the scope of the IMEC/INVOMEC multi project chip service. IMEC/INVOMEC ir the diviaion of IMEC that M organising the education, CAD s u p port and MPC service towards educational institutions. IMEC INVOMEC is also one of the five major tive, which provider these services to over 300 institutes (universities and polytechnics all over Europe).
The implementation technology haa been the 2 . 4~ CMOS standard cell technology of MIETEC. The layout of the chip is shown in fi ure 2. The active area bonding pads ir 6.00" I 7.86- 
(47md

Testability Considerations
In the first version of the design, careful considerations were taken from the rtart in order to make the chip testable. Thia was achieved by making all of the registers scan-testable. It turned out however that for many chip implementations of cryptographic algorithms it ie undesirable to realise the registers with the keys as scan registers as they can be read out in test mode. In cases that one would include the scan chains in the additional test modes of a boundazy scan according to JTAG, this would faeilitate very much the readout of key registers. Therefore the scanable regiaters in the key and state registers have been removed for additional security. In the current implementation the keys are urrik-onlp. This means that there ia no direct acceu possible to the key-or state information via the external pinr of the chip. This of course had its consequencer for the testability. Due to the cryptographic aspects of confusion and diffusion as explained above, it M such that the influence of stuck-at fanlts propagatea ver faat over all bits in the state register and consequentyy mamifeat their effect at the output of the chip. A number of test mequences, that exploit this aspect of confusion and diffusion, have been determined (with a maximum length of 43 iteration cycles). By means of fsult-simulation it has been shown that these test se uencea allow for a 100% testability of all stuck-at h d t s at the inputs and outputs of the standard cells.
The demonstration setup mentioned above will be used as a driving vehicle for the development and practical application of formal design and verification methods that are bein developed in the CHARME ESPRIT Basic Researcf Action[141. The demonstra- 
System Demonstration
The feasibility of the chip has been demonstrated in a system setup for real-time video encryp tion/decryption. This is illustrated in figure 3 . This application could be representative for an environment of pay television in case the television programs would be broadcasted in digital form, as is planned for high definition TV. This application could allow that the broadcaster uses different passwords for different programs, and a subscriber could pay for only these programs that he/she is interested in. Even when one would be in the possession of the Subterranean chip, with all of its internal details, it would be impossible to get access to the information in an unauthorised way without having access to the password.
In the demonstration system, a composite color video signal (PAL) is captured by a video camera, and converted in digital form by an A/D converter. This results in a digital signal at 115 Mbit/sec. This digital signal is encrypted on a first board hosting the Subterranean chip into an encrypted digital signal, which could than be broadcasted to all subscribers. At the other end a receiver board with the Subterranean chip is used to decrypt the digital information at a speed of 115 Mbit/sec. Hereafter the information can be converted by means of a D/A-convertor in analog form so that it can be shown on a color monitor.
In the demonstration setup, the passwords are entered for the encryption and decryption board via PC's interfaced to resp. the encryption and decryp tion boards. This demonstrator is operational and pictorally illustrates the concepts of cryptography and the practical applicability of the Subterranean algorithm. The chip and the algorithm itself however has the potential to be applied for much higher throughput applications as well. tion environment is a heterogenbu; mixture of different design paradigms and implementation technologies. At the same time it combines hardware and software aspects. A manual exercise has been conducted already to formally prove the correctness of the cryptographic chip with respect to its higher level behavior by means of the S F G -k i n g verification methodology [12] . This methodology has currently successfully been applied already for the automatic verification of high level synthesis results [13] .
