Developed by Philips Usfa/Crypto
This page describes the evolution of dedicated cryptographic chips
developed by Philips Usfa (later: Philips Crypto) over the years.
Most of these were developed exclusively for use in
Philips' cryptographic appliances,
but later chips were used in products of other companies as well.
As Philips was a semiconductor manufacturer, they were able to
develop and manufacture their own chips. Some divisions of Philips, such as the
professional camera division (BTS) already used these facilities to produce
custom OEM chips that were not available to other customers.
Such chips would generally get a so-called OQ-number,
with the OQ44xx range reserved for Philips Usfa.
The image on the right shows an early production sample of the
(see below). This chip was developed in the mid-1980s for some of the
Spendex voice ciphers.
The first crypto chips were developed around 1974/75 especially for the
Aroflex range of cipher machines. Until that time,
the crypto-heart of all Philips cipher machines consisted of discrete electronics.
The OQ4406 was intended for use by NATO and the Dutch Government,
while the OQ4407 was used for all other customers.
The OQ4406 was also used in
in a tick film hybrid module.
The timeline below shows roughly when the various crypto chips were
The early OQ4406/07
chips lasted until they were replaced by their successors
OQ4434/35/36 around 1990.
In the meantime, around 1985, philips had created the
OQ4430 especially for voice encryption
by implementing the highly secret American NSA Type-1
In the mid-1990s, Philips moved away from proprietary stream
cipher encryption methods that found their origin in the ancient
(wheel-based) mechanical models, and developed a
range of crypto processors with mathematical building blocks to create
algorithms like DES and RSA. These chips were commercially available
to third parties under a so-called Non-Disclosure Agreement (NDA).
The OQ4406 and OQ4407 were the first generation of custom-made crypto chips
used in Philips cipher equipment.
Each chip contained a complex non-linear
shift register that could be seen as an advanced electronic version of
a coding wheel of a mechanical cipher
machine, such as the war-time German Enigma machine,
the later Russian Fialka
and the American KL-7 (Adonis).
By connecting several of these chips in a chain,
a stream cipher 1 could be realized.
Such a cipher could be viewed
as an electronic version of a mechanical cipher machine.
Generally, 8 such chips were used in the
In the Aroflex machine.
To hide the electronics from prying eyes and as an elementary
anti-tamper measure, the crypto heart was
usually potted in a rigid
The image on the right shows the interior of a crypto heart of an
Aroflex-derivative based on a series of OQ4407 chips.
Note that the QO4407 is less secure than the pin-compatible OQ4406.
The OQ4406 was used in real Aroflex
machines and was classified Confidential.
The Aroflex was approved for TOP SECRET and NATO SECRET
The OQ4407 chip was used for all other customers, including the Siemens T-1000CA.
Internally, crypto-logics based on the OQ4407 were also referred to as Beroflex.
With the right means, machines with the OQ4407 were breakable.
Both chips could be connected in several ways, giving some level of
configurability. This allowed the designers to create different crypto hearts
(or crypto-logics as they were called) for different customers.
The OQ4406 logic was later used (around 1980) in the portable
Picoflex machine as well.
In Picoflex, four OQ4406 crystals are mounted on a tick film component in
a single metal package.
Being NATO CEROFF standard,
the Picoflex was compatible with the NATO version of
and with the Norwegian RACE (KL-51)
when operating in Aroflex mode (a.k.a. EPSOM).
In open literature, this type of cipher is also known as a cascade clock
Products based on the OQ4406/07
In the early 1980s, Philips developed the narrow-band
crypto phone for use by the Dutch Government and the Army.
As it was their intention to sell this phone to NATO as a STU-II
SAVILLE algorithm was used.
It was thought that by using an existing already-approved algorithm,
the time-to-market would be shortened.
By special permission of the NSA,
Philips is believed to be the first non-US
company to be allowed to implement the
SAVILLE algorithm in their own hardware.
The result is the OQ4430.
The same OQ4430 chip was later used in the military
Spendex 50 (DBT) wide-band
crypto phone, that was developed shortly after the Spendex 40,
and was used on the Dutch
ZODIAC combat communications network.
The image on the right shows an OQ4430 chip on the crypto board of the
Spendex 50. Three such chips were generally combined for fail-safe operation.
As the secret SAVILLE algorithm
was implemented in the OQ4430, it was difficult
for Philips to sell the Spendex 40
and Spendex 50 phones to other customers
and countries, as they had to seek
NSA-approval on each occasion.
Nevertheless, both phones were used exensively by NATO,
the Dutch Government and by some other countries such as the United Kingdom
For customers outside the NSA-controlled community, an alternative cryptographic
algorithm was developed, that featured pin-compatibility with the OQ4430 chip.
The phones that featured this chip were advertised as the
NBSV-45 (Spendex 40)
and the DWBST-55 (Spendex 50)
but were not produced due to lack of sufficient orders.
As a result the alternative chip was never produced.
Products based on the OQ4430
OQ4434, OQ4435 and OQ4436
In the late 1980s, the Philips Crypto roadmap was extended with a series
of products referred to as 'the new generation crypto equipment',
also known as NGC. The NGC allowed much higher encryption speeds, had
multi-channel encryption, and comprised all applications, such as secure
voice (narrowband and wideband), secure fax, and secure data (X.25 at
layers 2, 3 and 4 and Link).
Consequently, Philips started development of a series of 'next-generation'
crypto chips. Although the principle is based on the earlier OQ4406/07 chips,
they are in fact much more complex and can be regarded as enhanced
versions of the earlier OQ4406 and OQ4407 chips.
As Philips wanted the new chips to be used in a variety of products that would
in turn be sold to a variety of governmental and non-governmental customers,
it was decided to develop different variants: the OQ4434, OQ4435 and OQ4436.
The chips were pin-compatible but contained different cryptographic building
blocks. This allowed Philips to sell the same product to different customers
without jeopardizing (state) security. Depending on the customer and/or the
application, a different chip would be selected, keeping the application
Both the OQ4434 and the OQ4436 were equipped with compatibility modes,
providing backwards compatibility with the older OQ4407 and OQ4406 respectively.
A vast number of crypto-logics could be realized with these chips, including
all existing old variants and turbo 12-wheel versions of the OQ4406
The OQ4435 was not related to any previous crypto chip.
It also was a stream cipher based on the same principle and it included a
All three chips were used from 1990 onwards in a new range of
crypto products, such as the PNVX phones,
the PFDX fax encryptor
and the PLDX data encryptor.
The image on the right shows an example of a crypto heart that was used in
In many cases two OQ443x chips were used in order to obtain a full-duplex
data stream (send and receive at the same time), whilst a small 8051
microcontroller (here visible at the center) was used for the configuration
and control of the cryptographic building blocks inside the chips.
The PCB shown here was the crypto heart of a PNVX phone
and contains two OQ4436 chips. It was used by the Dutch Government
for voice communication at the highest level (top secret).
A single OQ4434 was also implemented in the
PFX/PM hand-held radio,
where it was used for simplex voice communication.
The same chip was later used in the MDT data terminals
of the Eindhoven Police Department, for which it had to be repackaged
in order to fit a PCMCIA card.
The OQ4436 was used again in the Aroflex II (T-1285).
As the chip was an enhanced version of the earlier OQ4406, it allowed the
Aroflex II to be backwards compatibile with
the old Aroflex.
Products based on the OQ4434/35/36
In the mid-1990s, Philips recognized the need to develop a new generation
of faster and more versatile crypto chips.
Unlike previous chips, that were implementations of proprietary stream
cipher algorithms, the new chip would use modern mathematical
cryptographic algorithms such as DES and RSA.
The new chip was called General Crypto Device (GCD) and was (co)developed
with the Institut für Angewandte Mikroelektronik (IAM)
in Braunschweig (Germany). The design was later held by SICAN in Hamburg,
which was taken over in 2000 by Infineon (now: Sci-worx).
Some backend processing was done in Vught (Netherlands)
by Pijnenburg Custom Chips BV (later: Securealink),
which is why their name appears on the chip.
Pijnenburg was taken over in 2001 by
SafeNet and in
2010 by AuthenTec (US).
The chip was produced by ES2 in France.
The GCD contained building blocks for DES, IDEA and RSA and was
available to the general public.
Although Philips never implemented the GCD in any product, it was used
in an early prototype of the V-kaart.
Furthermore, it was the foundation on which the later
GCD-PHI chip was based.
At the heart of the GCD chip is an application-specific
32-bit RISC core, known as the Arithmetic Processor.
It is optimized for high performance arithmetic functions and allows
up to four parallel operations on registers, memory and pointers,
much like a DSP. Below is a simple block diagram.
The chip has a flexible I/O controller that can be adapted to accommodate
virtually any host bus, allowing data transfer speeds up to
160MB/s. Also embedded on the chip is a Random Number Generator (RNG) and
an industry-standard 8-bit 8051 microcontroller,
that can be used for the implementation of a user interface
such as a keypad, a display or a smart-card reader .
The GCD chip is implemented as an Application-Specific Integrated
Circuit (ASIC) in 0.6 mm standard cell technology.
It operates at 3.3V and contains approx. 400,000 transistors.
Although the ASIC is clocked at a modest 25MHz, the DES algorithm can be
executed at 100Mb/s when running in ECB, CBC, CBF and OFB cipher modes.
As the individual crypto functions can be accessed directly by the
program, the chip is not limited to DES and RSA, but can also be used for
proprietary and future algorithms, with the only limitation being the
4MB on-chip memory.
To assist developers with the implementation of the GCD chip in their
designs and software, the evaluation board shown above was made available
by the manufacturer.
The GCD-PHI chip was in fact a further development of the earlier General
Crypto Device (GCD). It was developed a few years later, after ES2 had stopped
the production of the original GCD, due to lack of sufficient orders.
The extension PHI to the name of the chip (GCD-PHI) clearly refers
to PHILIPS. It was commonly written as GCD-Φ (with the Greek letter PHI).
The GCD-Φ became available by the end of 1997 and was used as the
heart of the
V-kaart, a data security product that Philips
developed for the Dutch Government and the Dutch Army.
Philips made it possible to include
features that would make it suitable for (state) secret applications.
Nevertheless, the chip was available to other manufacturers and was used
in a number of products, such as equipment for financial transactions
(e.g. PIN terminals).
Philips actively promoted the GCD-Φ by releasing a datasheet under NDA
and a 4-page brochure .
According to the brochure,
the chip was suitable for the implementation of
the standard algorithms of the era, including DES, IDEA, RSA and SHA,
but also for customer-specific algorithms.
- Programmable advanced block cipher core (64-160 bits wide)
- Second substitution box organized as two independent byte-look-up tables
- Built-in Random Number Generator (RNG)
- 32Kb on-chip RAM
- 128-bit hyper-secure on-chip memory 1
Like the earlier GCD chip,
the GCD-Φ allowed encryption rates up to 100 Mb/s.
The GCD-Φ chip is implemented as an Application-Specific Integrated
Circuit (ASIC) in 0.5µ standard cell technology. It operates at 3.3V,
contains approx. 200,000 logic gates and is clocked at 48 MHz.
The block cipher core is highly versatile with dynamic per-round configuration.
It supports an efficient implementation of the classified American
BATON block cipher algorithm.
According to the brochure, the GCD-Φ was used in a number of
real (Philips) products, including the Virtual Private Network Guard
(VPN Guard), V-kaart
and a 2Mbps Link Encryption System PLDX 6142 (LES).
When Philips Crypto closed down in 2003,
the V-kaart project was
taken over by Fox-IT (Delft, Netherlands),
whilst the two other products
went to Compumatica (Uden, Netherlands).
➤ Download the brochure
This memory can be erased instantly in case of an emergency,
even when running in battery backup mode.
Immediately after the introduction of the GCD-Φ, Philips started
development of an improved version of the chip, designated GCD-PHI 2000
or GCD-Φ 2000. It was a drop-in replacement for the earlier GCD-Φ,
but had improved performance, expanded capacity and extra features.
Compared to the earlier GCD-Φ, the 2000-version
had some additional features, such as
a programmable 32-bit permutation, and the on-chip RAM that
had been increased to 64Kb.
At the same time, the built-in hyper-secure memory was doubled
from 128 to 256 bits.
Most important was its on-board integrity check mechanism,
designed to guard the integrity for the RAM and box contents.
With this mechanism, the AP-program and the contents of the S-boxes
and programmable permutation were effectively secured against manipulation
and chip defects.
The image above shows two GCD-Φ 2000 chips as they were finally produced.
The GCD-Φ 2000 chip is implemented in 0.35µ three metal layer technology
with 340,000 gate equivalents, and allows a clock frequency of 60 MHz.
A special evaluation board
was available for developers.
Although the GCD-Φ family was really state-of-the-art when it was
introduced, the chips were not very efficient for modern algorithms like AES.
According to the brochure, Philips had the intention to expand their
range of crypto chips in order to support emerging standards .
Unfortunately, these never materialized, as Philips Crypto was dissolved
in 2003 due to lack of orders.
The rights to the GCD-Φ and GCD-Φ 2000 were transferred to Dutch
crypto company Fox-IT who successfully
implemented it in some of their products, including the
FFFE crypto card.
The Fort Fox File Encryptor (FFFE) was in
fact the successor to the Philips V-Kaart
(or more precisely: the C-card),
and was used extensively by the Dutch Goverment for many years up to
the level of SECRET (Stg. Geheim).
The FFFE was finally phased out in early 2012.
Products based on the GCD, GCD-Φ and GCD-Φ 2000
- Nikolaus Lange, Single-Chip Implementation of a Cryptosystem for Financial Applications
SICAN Braunschweig GmbH.
Financial Cryptography, First International Conference, February 1997.
Springer-Verlag. ISBN 3-540-63594-7. pp. 135-144.
- P. Arora, M. Dugan, P. Gogte, GMU, Survey of commercially available cryptographic...
...chips and IP cores implementing cryptographic algorithms.
- Philips Crypto BV, GCD-Φ General Crypto Device (brochure)
9922 154 22011. Date unknown; probably around 1997.
- Philips Crypto BV, GCD-Φ 2000, General Crypto Device (brochure)
9922 154 22451. Date unknown; probably around 2000.
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?|
© Crypto Museum. Created: Saturday 27 October 2012. Last changed: Monday, 28 November 2016 - 14:06 CET.