Click for homepage
Crypto Chips
Developed by Philips Usfa/Crypto

This page describes the evolution of dedicated cryptographic chips developed over the years by Philips Usfa (later: Philips Crypto). Most of the early chips were made exclusively for use in Philips' own cryptographic appliances, but later chips were used in third party crypto products as well.

As Philips was a semiconductor manufacturer, they were able to develop and manufacture their own integrated circuits (ICs) (chips). Philips's professional camera division (BTS) already used these facilities to produce custom OEM chips that were not available to other customers.

Such chips were generally given a so-called OQ number, with the OQ44xx range reserved for Philips Usfa. The image on the right shows an early production sample of the OQ4430. This chip was developed in the mid-1980s for the Spendex 40 and 50 voice encryption devices.

The first crypto chips were developed around 1974/75 especially for the Aroflex range of cipher machines. Until that time, the crypto-heart of all Philips cipher machines consisted of discrete electronics. The OQ4406 was intended for use by NATO and the Dutch Government, while the OQ4407 was used for all other customers. The OQ4406 was also used in Picoflex, in a tick film hybrid variant. The timeline below shows roughly when the various crypto chips were developed.

Timeline of Philips Crypto Chips

The early OQ4406/07 chips lasted until they were replaced by their successors OQ4434/35/36 around 1990. In the meantime, around 1985, Philips had created the OQ4430 especially for voice encryption by implementing the highly secret American NSA Type-1 SAVILLE algorithm. In the mid-1990s, Philips moved away from proprietary stream cipher encryption methods that found their origin in the ancient (wheel-based) mechanical models, and developed a range of crypto processors with mathematical building blocks to create algorithms like DES and RSA. These chips were commercially available to third parties under a so-called Non-Disclosure Agreement (NDA).

OQ4406 and OQ4407
OQ4406 and OQ4407 were the first generation of application-specific integrated circuits (ASICs) used in Philips encryption devices. Each chip contains a complex non-linear feedback shift regis­ter (NLFSR) that could roughly be seen as the electronic equivalent of a mechanical cipher rotor, similar to the rotors of the German Enigma, the Russian M-125 (Fialka) and the American KL-7.

By connecting several of these chips in a chain, a stream cipher 1 could be realized. Such a cipher could be viewed as an electronic version of a mechanical cipher machine. Generally, 8 such chips were used in the In the Aroflex machine. To hide the electronics from prying eyes and as an elementary anti-tamper measure, the crypto heart was usually potted in a rigid foam block.

The image on the right shows the interior of the crypto heart of an Aroflex-derivative based on a series of OQ4407 chips. Note that the QO4407 is less secure than the pin-compatible OQ4406.

The OQ4406 was used in real Aroflex machines and was classified Confidential. The Aroflex was approved for TOP SECRET and NATO SECRET messages. The OQ4407 chip was used for all other customers, including the Siemens T-1000CA. Internally, crypto-logics based on the OQ4407 were commonly known as Beroflex. With the right means, machines with the OQ4407 were breakable.

Both chips could be connected in several ways, giving some level of configurability. This allowed the designers to create different crypto hearts (or crypto-logics as they were called) for different customers. in 1980, the OQ4406 logic was also used in the portable Picoflex cipher machine. In Picoflex, four OQ4406 substrates are mounted on a tick film carrier in a single metal package. Being NATO CEROFF standard, Picoflex was compatible with the NATO version of Aroflex and therefore also with the Norwegian RACE (KL-51) when operating in Aroflex mode (a.k.a. EPSOM).

  1. In open literature, this type of cipher is also known as a cascade clock controlled cipher.

Products based on the OQ4406 and OQ4407
Aroflex UA-8116
Picoflex UA-8035
Siemens T-1000/CA (and Philips Beroflex)
In the early 1980s, Philips developed the narrowband Spendex 40 crypto phone for use by the Dutch Government and the Army. As it was their intention to sell this phone to NATO as a STU-II compatible product, the GCHQ/NSA-developed SAVILLE algorithm was used. It was thought that by using an existing already-approved algorithm, the time-to-market would be shortened.

By special permission from the NSA, Philips is believed to be the first non-US company to be allowed to implement the SAVILLE algorithm in their own hardware. The result is the OQ4430.

The same OQ4430 chip was later used in the military Spendex 50 (DBT) wideband crypto phone, that was developed shortly after the Spendex 40 for use on the Dutch ZODIAC combat communications network. The image on the right shows an OQ4430 chip on the crypto board of the Spendex 50. Three such chips were generally combined for fail-safe operation.

As the secret SAVILLE algorithm was implemented in the OQ4430, it was difficult for Philips to sell the Spendex 40 and Spendex 50 phones to other customers and countries, as they had to seek NSA-approval on each occasion. Nevertheless, both phones were used exensively by NATO, the Dutch Government and by some other countries such as the United Kingdom and Germany.

For customers outside the NSA-controlled community, an alternative cryptographic algorithm was developed, that was implemented as a pin-compatibile chip. Phones that featured this chip were advertised as NBSV-45 (Spendex 40) and DWBST-55 (Spendex 50) but were never taken into pro­duction due to lack of sufficient orders. As a result the alternative chip wasn't produced either.

Products based on the OQ4430
Spendex-40 secure telephone for voice, fax and computer
Spendex 50 (DBT), military secure crypto phone
OQ4434, OQ4435 and OQ4436
In the late 1980s, the Philips Crypto roadmap was extended with a series of products referred to as 'the new generation crypto equipment', also known as NGC. The NGC allowed much higher encryption speeds, had multi-channel encryption, and comprised all applications, such as secure voice (narrowband and wideband), secure fax, and secure data (X.25 at layers 2, 3 and 4 and Link). Consequently, Philips started development of a series of 'next-generation' crypto chips. Although the principle is based on the earlier OQ4406/07 chips, they are in fact much more complex and can be regarded as enhanced versions of the earlier OQ4406 and OQ4407 chips.

As Philips wanted the new chips to be used in a variety of products that would in turn be sold to a variety of governmental and non-governmental customers, it was decided to develop different variants: the OQ4434, OQ4435 and OQ4436.

The chips were pin-compatible but contained different cryptographic building blocks. This allowed Philips to sell the same product to different customers without jeopardizing (state) security. Depending on the customer and/or the application, a different chip would be selected, keeping the application functionally identical.

Both the OQ4434 and the OQ4436 were equipped with compatibility modes, providing backwards compatibility with the older OQ4407 and OQ4406 respectively. A vast number of crypto-logics could be realized with these chips, including all existing old variants and turbo 12-wheel versions of the OQ4406 and OQ4407. The OQ4435 was not related to any previous crypto chip. It was also a stream cipher based on the same principle and it included a random generator. All three chips were used from 1990 onwards in a new range of crypto products, such as the PNVX phones, the PFDX fax encryptor and the PLDX data encryptor.

The image on the right shows an example of a crypto heart that was used in these products. In many cases two OQ443x chips were used in order to obtain a full-duplex data stream (send and receive at the same time), whilst a small 8051 microcontroller (here visible at the center) was used for the configuration and control of the cryptographic building blocks inside the chips.

The PCB shown here was the crypto heart of a PNVX phone and contains two OQ4436 chips. It was used by the Dutch Government for voice communication at the highest level (top secret).

A single OQ4434 was also implemented in the PFX/PM hand-held radio, where it was used for simplex voice communication. The same chip was later used in the MDT data terminals of the Eindhoven Police Department, for which it had to be repackaged in order to fit a PCMCIA card. The OQ4436 was used again in the Aroflex II (T-1285). As the chip was an enhanced version of the earlier OQ4406, it allowed the Aroflex II to be backwards compatibile with the old Aroflex.

Products based on the OQ4434/35/36
PNVX secure crypto telephone, fax and data products
PFDX fact encryptor
PFX-PM portable radio with digital encryption
Secure communication for the Eindhoven Police via Motorola MDT-9100 terminals
Aroflex II cipher machine, also known as PDLX-6141 or T-1285CA
PLDX data encryptor
In the mid-1990s, Philips recognized the need to develop a new generation of faster and more versatile crypto chips. Unlike previous chips, that were implementations of proprietary stream cipher algorithms, the new chip would use modern mathematical cryptographic algorithms such as DES and RSA. The new chip was called General Crypto Device (GCD) and was (co)developed with the Institut für Angewandte Mikroelektronik (IAM) in Braunschweig (Germany). The design was later held by SICAN in Hamburg, which was taken over in 2000 by Infineon (now: Sci-worx).

Some backend processing was done in Vught (Netherlands) by Pijnenburg Custom Chips BV (later: Securealink), which is why their name appears on the chip. Pijnenburg was taken over in 2001 by SafeNet and in 2010 by AuthenTec (US). The chip was produced by ES2 in France.

The GCD contained building blocks for DES, IDEA and RSA and was available to the general public. Although Philips never implemented the GCD in any product, it was used in an early prototype of the V-kaart. Furthermore, it was the foundation on which the later GCD-PHI chip was based.

At the heart of the GCD chip is an application-specific 32-bit RISC core, known as the Arithmetic Processor. It is optimized for high performance arithmetic functions and allows up to four parallel operations on registers, memory and pointers, much like a DSP. Below is a simple block diagram.

The chip has a flexible I/O controller that can be adapted to accommodate virtually any host bus, allowing data transfer speeds up to 160MB/s. Also embedded on the chip is a Random Number Generator (RNG) and an industry-standard 8-bit 8051 microcontroller, that can be used for the implementation of a user interface such as a keypad, a display or a smart-card reader [1].

The GCD chip is implemented as an Application-Specific Integrated Circuit (ASIC) in 0.6 mm standard cell technology. It operates at 3.3V and contains approx. 400,000 transistors. Although the ASIC is clocked at a modest 25MHz, the DES algorithm can be executed at 100Mb/s when running in ECB, CBC, CFB and OFB cipher modes.

As the individual crypto functions can be accessed directly by the program, the chip is not limited to DES and RSA, but can also be used for proprietary and future algorithms, with the only limitation being the 4MB on-chip memory.

To assist developers with the implementation of the GCD chip in their designs and software, the evaluation board shown above was made available by the manufacturer.

The GCD-PHI chip was in fact a further development of the earlier General Crypto Device (GCD). It was developed a few years later, after ES2 had stopped the production of the original GCD, due to lack of sufficient orders. The extension PHI to the name of the chip (GCD-PHI) clearly refers to PHILIPS. It was commonly written as GCD-Φ (with the Greek letter PHI).

The GCD-Φ became available by the end of 1997 and was used as the heart of the V-kaart, a data security product that Philips developed for the Dutch Government and the Dutch Army.

Philips included features that made it possible to develop products for (state) secret applications. Nevertheless, the chip was available to other manufacturers and was used in a number of consumer products, such as equipment for financial transactions (e.g. PIN terminals). Philips actively promoted the GCD-Φ by releasing a datasheet under NDA and a 4-page brochure [3].

According to the brochure, the chip was suitable for the implementation of the standard algorithms of the era, including DES, IDEA, RSA and SHA, but also for customer-specific algorithms. It featured:

  • Programmable advanced block cipher core (64-160 bits wide)
  • Second substitution box organized as two independent byte-look-up tables
  • Built-in Random Number Generator (RNG)
  • 32Kb on-chip RAM
  • 128-bit hyper-secure on-chip memory 1
Like the earlier GCD chip, the GCD-Φ allowed encryption rates up to 100 Mb/s. The GCD-Φ chip is implemented as an Application-Specific Integrated Circuit (ASIC) in 0.5µ standard cell technology. It operates at 3.3V, contains approx. 200,000 logic gates and is clocked at 48 MHz. The block cipher core is highly versatile with dynamic per-round configuration. It also provides an efficient implementation of the secret NSA Type 1 BATON block cipher algorithm.

According to the brochure, the GCD-Φ was used in a number of real (Philips) products, including the Virtual Private Network Guard (VPN Guard), V-kaart and a 2Mbps Link Encryption System PLDX 6142 (LES). When Philips Crypto closed down in 2003, the V-kaart project was taken over by Fox-IT (Delft, Netherlands), whilst the two other products went to Compumatica (Uden, Netherlands).

 Download the brochure

  1. This memory can be erased instantly in case of an emergency, even when running in battery backup mode.

GCD-Φ 2000
Immediately after the introduction of the GCD-Φ, Philips started development of an improved version of the chip, designated GCD-PHI 2000 or GCD-Φ 2000. It was a drop-in replacement for the earlier GCD-Φ, but had improved performance, expanded capacity and extra features.

Compared to the earlier GCD-Φ, the 2000-version had some additional features, such as a programmable 32-bit permutation, and the on-chip RAM that had been increased to 64Kb. At the same time, the built-in hyper-secure memory was doubled from 128 to 256 bits.

Most important was its on-board integrity check mechanism, designed to guard the integrity for the RAM and box contents. With this mechanism, the AP-program and the contents of the S-boxes and programmable permutation were effectively secured against manipulation and chip defects.

The image above shows two GCD-Φ 2000 chips as they were finally produced. The GCD-Φ 2000 chip is implemented in 0.35µ three metal layer technology with 340,000 gate equivalents, and allows a clock frequency of 60 MHz. A special evaluation board was available for developers.

Although the GCD-Φ family was really state-of-the-art when it was introduced, the chips were not very efficient for modern algorithms like AES. According to the brochure, Philips had the intention to expand their range of crypto chips in order to support emerging standards [4].

Unfortunately, these never saw the light of day, as Philips Crypto was dissolved in 2003 due to lack of orders. The rights to the GCD-Φ (2000) were transferred to Dutch crypto company Fox-IT who successfully implemented it in some of its products, including the FFFE crypto card.

The Fort Fox File Encryptor (FFFE), which was in fact the successor to the Philips V-Kaart — or more precisely: the spun-off C-card) — and was used extensively by the Dutch Goverment for many years up to the level of SECRET (Stg. Geheim). FFFE was finally phased out in early 2012.

GCD-Phi crypto chips
GCD-Phi evaluation board
Products based on the GCD, GCD-Φ and GCD-Φ 2000
Computer security card for the Dutch Government
2Mbps link encryption system
IP encryptor
For Fox File Encryptor
Similar products
  1. Nikolaus Lange, Single-Chip Implementation of a Cryptosystem for Financial Applications
    SICAN Braunschweig GmbH. Financial Cryptography, First International Conference, February 1997. Springer-Verlag. ISBN 3-540-63594-7. pp. 135-144.

  2. P. Arora, M. Dugan, P. Gogte, GMU, Survey of commercially available cryptographic...
    ...chips and IP cores implementing cryptographic algorithms.
    December 2005.

  3. Philips Crypto BV, GCD-Φ General Crypto Device (brochure)
    9922 154 22011. Date unknown; probably around 1997.

  4. Philips Crypto BV, GCD-Φ 2000, General Crypto Device (brochure)
    9922 154 22451. Date unknown; probably around 2000.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Saturday 27 October 2012. Last changed: Monday, 13 May 2024 - 21:21 CET.
Click for homepage