Pipelined Crypto-PAn 128-bit AES

Pipelined Crypto-PAn 128-bit AES


Category: Crypto Core

Created: February 16, 2007

Updated: January 27, 2020

Language: VHDL

Other project properties

Development Status: Stable

Additional info: Design done, FPGA proven

WishBone compliant: No

WishBone version: n/a

License: GPL



A hardware implementation of Crypto-PAn[1]. The core makes use of a fully pipelined 128-bit AES (Rijndael) cipher engine as the underlying pseudorandom function, supports online key changes, and is capable of line rates exceeding gigabit ethernet.

[1] Blake, A. and Nelson, R. 2008. Scalable Architecture for Prefix Preserving Anonymization of IP Addresses. In Proceedings of the 8th international Workshop on Embedded Computer Systems: Architectures, Modeling, and Simulation (Samos, Greece, July 21 - 24, 2008). M. Bereković, N. Dimopoulos, and S. Wong, Eds. Lecture Notes In Computer Science, vol. 5114. Springer-Verlag, Berlin, Heidelberg, 33-42.


Crypto-PAn features:
- One to one mapping from original IP address to anonymized IP address
- Prefixes are preserved. That is, if two original IP addresses sharea a k-bit prefix, their anonymized mapping also share a k-bit prefix.
- Consistency is maintained across traces. That is, the same IP address in differant traces is mapped to the same anonymized IP address, if the secret key used is the same.

Core features:
- Fully pipelined
- AES(Rijndael) engine capable of 32Gbit/s throughput on Virtex-4.
- Supports online secret key changes.
- Compatiable with Jinliang Fan's C+++ reference implementation. That is, using the same secret keys, IP addresses will map to the same anonymous IP addresses.
- Capable of anonymizing traces at line rates above gigabit ethernet.


Verified in hardware on XCV4FX60 FPGA.