Including security at optical line rates was once considered a luxury, but is now
becoming an essential feature. Helion developed the world's first FPGA-based
10Gbps encryption engine back in 2004, and since then has been refining its high rate
solutions so as to make them easier to deploy and more efficient in terms of resource and
The optical networking standards do not include specifics on how to encrypt the payload
data (OPU) being carried. Since properly designed encryption has various requirements
and overheads, these must be accomodated within the limits of the network. Helion
has developed a methodology for supporting this, making deployment much more straightforward
than it otherwise might be.
Helion Optical Networking security solutions
As part of a wider range of high-rate encryption solutions, the Helion 10Gbps "Optical"
AES-GCM Encryption IP Core is ideal for those customers looking to add encryption to
optical transport networks, for example OTN2 or SONET/SDH for OC-192 line rates.
A Choice of Two
This core is available in two versions, each with a 64-bit data interface:
A generic core, where proprietary encapsulation, non-standard line rates, and the overhead
may be freely chosen to suit both the encryption and other application requirements.
There is considerable flexibility in the frame format provided the encryption timings are met.
The maximum line data rate supported is typically in the range 10Gbps to 16Gbps.
An OTU2 core, using the G.709 OTU2 frame format, which assumes it is possible to "steal"
both unused and reserved frame overhead for the necessary encryption overhead. Some
flexibility in the overhead locations used, and further customisation of this core,
is possible to suit the specific customer application.
What modes do these cores support?
Both solutions integrate together all of the AES and GHASH functions required to perform bulk
encryption on the client payload. They offer a choice of confidentiality only (AES-CTR mode),
authentication only (GMAC mode), or both together (full AES-GCM). At the application frame level,
the cores also include IV generation and insertion, and MIC insertion and checking. The encrypt
and decrypt modules are distinct but very similar, differing only in the details of the top
level IV and MIC handling.
This AES-GCM core is available for most high performance FPGA technologies, and also ASIC.
The interfaces are designed to allow simple connection into an optical networking datapath,
processing one 64-bit word per clock for nominal 10Gbps operation. However, it is capable of
supporting up to 16Gbps in many FPGA technologies using higher clock rates; in the range
156 to 250MHz is typical.
What about Higher Rates?
For higher rate support (OTU3 and OTU4 rates) please contact Helion for more information.
Measured Area and Performance
AES-GCM core - OTU2 version
Encrypt or Decrypt direction - both are similar
||MAX CORE CLOCK
|Altera Arria V GZ (C4)
|Altera Arria V GZ (C3)
|Altera Stratix V (C2)
|Altera Stratix V (C1)
|Xilinx Virtex-6 (-1)
|Xilinx Virtex-6 (-2)
|Xilinx Virtex-6 (-3)
|Xilinx Virtex-7 (-1)
|Xilinx Virtex-7 (-2)
|Xilinx Virtex-7 (-3)
Note 1: A minimum clock rate of 167.33MHz is required to support OTU2 rates with the above core,
but any rate between this and the maximum quoted may be used for convenience.
Note 2: The above figures are quoted for the OTU2 version of the core; the more generic core
is similar, and typically a few percent smaller. Please contact Helion for specific data
For more detailed information on this or any of our other products and services,
please feel free to email us at
firstname.lastname@example.org and we will be pleased to discuss how we can assist
with your individual requirements.