Oceanus hardware ChaCha20-Poly1305 Accelerator

Cerberus Oceanus logo

Feature Summary

  • Very fast throughput, 1.6 bytes/cycle for the base configuration
  • Scalable to ultra-high speeds
  • Fully autonomous packet processing capability
  • Constant time implementation to prevent timing attacks
  • Cryptographically masked version available for enhanced side-channel attack (SCA) protection
  • Optional secret key table with protected key delivery bus for use with a hardware key manager
  • Suitable for both ASIC and FPGA
  • Reference Linux┬«1 driver
  • Customisation and consultancy services available

IP Overview

Chacha20-Poly1305 is a symmetric authenticated cipher with associated data (AEAD). It requires a 256 bit secret key and a unique per-operation value called a nonce, a number used once. As well as performing encryption or decryption, the cipher produces a 16 byte message authentication code (MAC) tag that can be used to validate the protected data.

This cipher was introduced as an alternative to AES-GCM and has gained much traction in the industry, particularly in resource-constrained environments. For example, it is now widely used to secure TLS sessions and is also used in the Wireguard®2 VPN protocol.

The Cerberus Chacha20-Poly1305 accelerator is a configurable hardware IP core capable of delivering high speed AEAD performance. The engine is provided as an AXI stream accelerator and can be driven entirely via a DMA engine and linked list using the AXI stream control and status interfaces. Alternatively, control may be managed through a traditional register interface such as an AXI4L slave port.

In addition to Chacha20-Poly1305, XChaCha20-Poly1305 is also supported, which better supports the use-case where the nonce is a randomly generated value.

The engine is capable of directly processing payloads that include associated data headers without CPU intervention, and ultra-high speeds are possible using advanced configurations that exploit parallel computation.

Example configuration
Example configuration

Value-added services

Based on your exact requirements, Cerberus deliver a fully tailored IP solution, suitable for ASIC or FPGA integration. Cerberus are also able to offer a bespoke software driver development service to our customers. We are happy to work closely with customers at an early stage, to help review their requirements, derive appropriate threat models and mitigations, and formulate a suitable security system architecture.

PDF download

You can download the Oceanus ChaCha20-Poly1035 hardware accelerator brief here

Contact us

Please use the web contact form or email us for more information.


  1. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. ↩︎

  2. Wireguard is a registered trademark of Jason A. Donenfeld. ↩︎