TLS 1.3 Engine for FPGA Based Systems: A High-Security and High-Performance Solution for Data Transmission

Transport Layer Security (TLS) is a protocol that provides encryption and authentication for data transmission over the Internet. TLS is widely used for web browsing, email, online banking, and other applications that require security and privacy. The latest version of TLS, TLS 1.3 (RFC 8446) was published in 2018, bringing significant improvements in security and performance over the previous versions¹.

However, implementing TLS 1.3 on software platforms such as CPUs or GPUs can be challenging and inefficient, due to the high computational complexity and memory requirements of the protocol. Moreover, software implementations are vulnerable to side-channel attacks that can leak sensitive information from the memory or cache. Therefore, a hardware-based solution that can offload the TLS 1.3 operations to a dedicated device is desirable for achieving high-security and high-performance data transmission.

In this article, we will introduce a TLS 1.3 Engine for FPGA based systems, developed by Design Gateway Co., Ltd., a leading provider of FPGA IP cores and solutions. This TLS 1.3 Engine is a high-security and high-performance solution that can be applied to various kinds of data transmission applications that require TLS 1.3 support. We will highlight three key strengths of this TLS 1.3 Engine: CPU-free operation, FPGA-friendly implementation, and high-speed data transmission.

CPU-Free Operation for TLS 1.3

One of the main advantages of this TLS 1.3 Engine is that it can operate without the need for a CPU or a software stack. The TLS 1.3 Engine can handle the entire TLS 1.3 protocol, including the handshake, record layer, and application layer, on its own hardware logic. The TLS 1.3 Engine can also perform the cryptographic operations, such as AES-GCM encryption/decryption, RSA/ECC signature/verification, and ECDH key exchange, using its own hardware accelerators. The TLS 1.3 Engine can interface with any user logic or external device using a simple and standard AXI4-Stream interface.

The CPU-free operation of the TLS 1.3 Engine brings several benefits for the system design and performance:

It reduces the CPU load and memory usage, freeing up the CPU resources for other tasks.
It eliminates the software vulnerabilities and bugs that may compromise the security or reliability of the system.
It prevents the side-channel attacks that may exploit the software timing or power consumption to reveal the secret keys or data.
It simplifies the system integration and configuration, as there is no need to install or update any software drivers or libraries.

FPGA-Friendly Implementation

Another benefit of this TLS 1.3 Engine is its FPGA-friendly implementation, which makes it easy to integrate with any FPGA device and design. The TLS 1.3 Engine uses a modular and scalable architecture that consists of four main components:

The Handshake Controller, which manages the TLS 1.3 handshake process and negotiates the session parameters with the peer.
The Record Layer Controller, which handles the TLS 1.3 record layer protocol and encrypts/decrypts the application data using AES-GCM.
The Crypto Controller, which performs the cryptographic operations using RSA/ECC/ECDH hardware accelerators.
The AXI4-Stream Interface, which provides a standard interface for data input/output and control signals.

The TLS 1.3 Engine supports various configurations and options, such as:

Different FPGA devices and families, such as Xilinx or Intel/Altera FPGAs.
Different FPGA resources and performance trade-offs, such as logic utilization, memory usage, frequency, latency, and throughput.
Different TLS 1.3 features and extensions, such as cipher suites, key exchange modes, signature algorithms, session resumption, and early data.

The FPGA-friendly implementation of the TLS 1.3 Engine enables flexible and customized system design and optimization.

High-Secure & High-Speed Data Transmission

The third advantage of this TLS 1.3 Engine is its high-speed data transmission capability, which can achieve up to 100 Gbps throughput using a single FPGA device. The high-speed data transmission of the TLS 1.3 Engine is enabled by several factors:

The use of parallel processing and pipelining techniques to increase the concurrency and efficiency of the hardware logic.
The use of high-performance hardware accelerators to speed up the cryptographic operations.
The use of high-speed transceivers and interfaces to support fast data transfer between the FPGA and the network or the user logic.
The use of TLS 1.3 protocol features to reduce the handshake latency and overhead, such as zero round-trip time (0-RTT) resumption and encrypted extensions.

The high-secure and high-speed data transmission of the TLS 1.3 Engine can support real-time and demanding applications that require high throughput and low latency and less CPU usage!, such as cloud computing, big data analytics, video streaming, and online gaming