FPGAs in cryptanalysis: Key search machine 2 interface
20 Oct 2003


The registers available to the programmer are:

0BUFFERSee textRead/write
1CTEXTSets the ciphertext to useWrite only
2PTEXTSets the plaintext to useWrite only
3IVSets the initialisation vector to useWrite only
Revised key search machine registers

The BUFFER register has the following format:

0–3VERSIONProtocol version (2)
4DVALIDSet when the machine is ready for a new command
6RWSpecifies whether this command describes a read or write operation
8–15ADDRSpecifies the target address for the write or read
16–63DATASee text
Revised key search machine registers

VERSION and DVALID function identically to the original key search machine. In this version of the machine the BUFFER register indirectly controls the search bus. A write is performed by setting RW to 1 and specifying the data in the DATA register. A read is performed by writing a word with RW set to 0 and then polling the BUFFER register until DVALID goes high. The data will be contained in the space allocated to the DATA field.

A read or write through the BUFFER register always sets or retrieves the key in use by a search unit. The exact interpretation of the DATA field depends on the key generator in use. The intended purpose is for DATA to be interpreted as a block number during a write, and treated as the key number (least significant 32 bits) during a read.

When reading through the BUFFER register, 32 bits are used by the key value. The other 8 bits are used by the search unit to report status information:

0KEYVALIDSet when the search unit has a key block to search through
1RUNNINGSet when the search unit is searching its key block
8–47KEYThe least significant 32 bits of the key value
Revised key search machine search unit read format


  1. Software checks presence and version of board by reading BUFFER register
  2. If VERSION is 0, program complains that FPGA has not been programmed
  3. If VERSION is not 2, program complains that software version does not match or FPGA is incorrectly programmed
  4. For each address where a search unit is believed to exist

    1. Software performs a read-through-BUFFER operation on the appropriate address
    2. If the key returned is 1, a search unit exists at that address
  5. Software writes CTEXT, PTEXT and IV registers

  6. For each search unit:

    1. Software writes initial key into search unit with a write-through-BUFFER operation
  7. Until correct key is located:

    1. Software polls the RUNNING bit of each known search unit in turn.
    2. If RUNNING on a search unit is 0:

      1. Record the key value as a potential key
      2. Write the block number to the search unit so that it continues searching from the same point

The key that is read from the key buffer is the value that was in the key generator at the time the search unit was halted, not the key that caused the search unit to halt. The software must be aware of the number of clock cycles required to process a single key and subtract that value from the retrieved value. This value is algorithm dependent.

comments powered by Disqus