ASIP Architecture Exploration for efficient IPSec Encryption: A Case Study Hanno Scharwaechter, David Kammler, Andreas Wieferink, Manuel Hohenauer, Kingshuk Karuri, Jianjiang Ceng, Rainer Leupers, Gerd Ascheid, and Heinrich Meyr Integrated Signal Processing Systems, Aachen University of Technology, Aachen, Germany scharwaechter@iss.rwth-aachen.de Abstract. Application Specific Instruction Processors (ASIPs) are in- creasingly becoming popular in the world of customized, application- driven System-on-Chip (SoC) designs. Efficient ASIP design requires an iterative architecture exploration loop - gradual refinement of proces- sor architecture starting from an initial template. To accomplish this task, design automation tools are used to detect bottlenecks in embed- ded applications, to implement application-specific instructions and to automatically generate the required software tools (such as instruction set simulator, C-compiler, assembler, profiler etc.) as well as to synthesize the hardware. This paper describes an architecture exploration loop for an ASIP coprocessor which implements common encryption functional- ity used in symmetric block cipher algorithms for IPsec. The coprocessor is accessed via shared memory and as a consequence, our approach is eas- ily adaptable to arbitrary processor architectures. In the case study, we used Blowfish as encryption algorithm and a MIPS architecture as main processor. 1 Introduction The strong growth of internet usage during the past years and the resulting packet traffic have put tight constraints on both protocol and hardware devel- opment. On the one hand, there is the demand for high packet throughput and on the other hand, protocols have to meet the continously changing traffic re- quirements like Quality-Of-Service, Differentiated Services, etc. Furthermore, the increasing number of mobile devices with wireless internet access like laptops, PDAs and mobile phones as well as Virtual Private Networks (VPNs) has made security one of the most important features of today’s networks. IPsec is proba- bly the most transparent way to provide security to the internet traffic. In order to achieve the security objectives, IPsec provides dedicated services at the IP layer that enable a system to select security protocols, determine the algorithm to use, and put in place any cryptographic keys required. This set of services provides access control, connectionless integrity, data origin authentication, re- jection of replayed packets (a form of partial sequence integrity), confidentiality