MxL Newscenter

News, stories, and profiles from MaxLinear

White Papers

Panther V Storage Accelerator: Taking Storage to the Next Level—Focus on Data Security

February 27, 2026
  • This white paper describes how the Panther V storage accelerator integrates advanced encryption, authentication, and secure‑boot technologies to deliver high‑performance, end‑to‑end data protection.

Authors
Iñaki Val Beitia
Principal Standards Engineer  		 Pinaki Chanda
Senior Director of Software
Engineering  		 Livia M. Rosu
Director of Strategy and Alliances

Key benefits

  • CNSA 1.0 compliant
  • Symmetric key encryption
  • Secure boot loader
  • Data authentication
  • Data compression
  • Padding
  • Optional data protection
  • Single-command execution of multiple data-path transformations
  • Ultra-low latency
  • High throughput
  • Reduced I/O and memory bandwidth usage

Introduction

The MaxLinear’s Panther V storage accelerator (Panther V) has been developed to optimize the performance and efficiency of storage appliances by offloading complex tasks that require significant CPU cycles to execute. The key features of Panther V are as follows:

  • Data reduction
    • High-quality compression to minimize the size of data before storage.
    • Hash generation to drive deduplication to further reduce the size of data before storage.
  •     Data integrity—Panther V provides the most robust protection against data corruption available.
    • Real-time verification (RTV)—All encode operations are automatically followed by a decode operation and verification that the fully decoded data matches the original data.
    • Note: Transform commands are not completed until all requested data protection/verification operations are completed successfully.
    • Panther V provides full support for the T10-DIF, T10-DIX, and NVMe Protection Information (PI) data protection functions.
  • Data security—Panther V supports NIST-certified Advanced Encryption Standard (AES) security standards used for symmetric key encryption and authentication, typically in—but not limited to—SSL, TLS, and IPsec applications. These solutions are optimized to secure data at rest (on the storage medium), in transit between remote clients, and during backup or replication to secondary storage appliances.
  • Highest performance—Support for 200Gbps of encode throughput and up to 450Gbps of decode throughput with the lowest latencies available.

This document focuses on how Panther V secures and protects data privacy.


                                                               
                                                         Table 1: List of Supported Cryptographic Algorithms

Encryption and Security

What is encryption, and what techniques are used to implement it?

Encryption is a security process that transforms data into an unreadable format, ensuring that only a legitimate recipient with the correct key or password can access the original information. Its primary purpose is to safeguard sensitive data from unauthorized access, even if the data is intercepted during transmission or storage. Encryption plays a critical role in:

  • Protecting confidential information
  • Preventing unauthorized access
  • Reducing the risk of data breaches
  • Ensuring compliance with regulations such as HIPAA and GDPR

This encryption process is applied to:

  • Data at rest—Information stored on physical devices such as hard drives or servers, protecting it from unauthorized access.
  • Data in transit—Information transmitted across networks, ensuring its confidentiality during transfer.

The following are some of the most common encryption techniques:

  • Full-disk encryption (FDE)—Encrypts all data on a disk, including the operating system and user files. Commonly used on laptops and mobile devices.
  • File-level encryption—Encrypts individual files or folders, allowing more granular control over what is protected.
  • Database encryption—Secures specific records or fields within a database. Often used to protect personally identifiable information (PII).
  • Cloud storage encryption—Ensures that files stored in cloud services are encrypted, either by the cloud provider or by the user through client-side encryption.

What are the building blocks of secure storage?

In cybersecurity, cryptographic techniques are essential for protecting data, verifying identities, and securing communications. Understanding the foundational concepts of encryption and data integrity is crucial for designing secure systems and complying with modern security standards. Here are seven core concepts that form the backbone of secure storage:

  • Symmetric key encryption—It uses a single key to encrypt and decrypt data. Fast and efficient, it is ideal for encrypting large volumes of data. However, the challenge lies in securely sharing the key between parties. Symmetric key encryption is the backbone of modern cryptographic protocols, offering high performance and efficiency for securing data in transit and at rest.



Figure 1: Symmetric Key Encryption

Figure 1 shows the basic structure of a symmetric key encryption technique, in which the same secret key is used for both encryption and decryption processes. Here is an example of an algorithm and its potential applications:
      -   Example algorithm—AES
      -   Applications—File encryption, disk encryption, IPsec/VPNs

  • Asymmetric key encryption—Also known as public-key encryption, this method uses a pair of keys:
    • A public key for encryption
    • A private key for decryption

It enables secure communication without the need to share secret keys in advance.



Figure 2: Asymmetric Key Encryption

Figure 2 shows the basic structure of an asymmetric key encryption technique, in which the public key is used for the encryption process and the private key for the decryption process. Public key cryptography is often used to securely establish symmetric keys, which are then used for the rest of the protocol because of their efficiency in encrypting bulk data. Here are examples of algorithms and their potential applications:
      -   Example algorithms—RSA, ECDSA
      -   Applications—Digital certificates, key exchange

  • Hashing—A cryptographic hash function is a one-way algorithm that transforms input data of any size into a fixed-length string (called a hash or digest) that appears random. It is primarily used to verify integrity and detect tampering, because even a small change in the input results in a completely different hash (avalanche effect). Key properties of a secure hash function include:

    • Deterministic—The same input always produces the same output.
    • Fast to compute—Efficient for large datasets.
    • Preimage resistant—Impossible to reverse-engineer the original input from the hash.
    • Collision resistant—Hard to find two different inputs that produce the same hash.
    • Avalanche effect—Small input changes cause drastic output changes.

Standard hash functions such as SHA-2 are keyless and used for integrity checks, while keyed variants such as HMAC combine a secret key with hashing to provide both integrity and authentication, preventing tampering and verifying the source of the message.


Figure 3: Hash Function

Figure 3 shows the hashing process flow, which transforms input data into a unique, fixed-size hash value using a cryptographic hash function. Here is an example of an algorithm and its potential applications:
      -   Example algorithm—SHA
      -   Applications—Password storage, file integrity checks, blockchain

  • MAC generation and authentication—Message authentication codes (MACs) ensure data integrity and authenticity, complementing encryption by verifying that data has not been altered and originates from a trusted source. A MAC is generated using a cryptographic algorithm and a secret key, appended to the message, and later verified by the recipient using the same key. Applying a MAC after encryption is critical to protect the entire ciphertext from tampering, as it guarantees:
    • Integrity—Detects any modification during storage or transmission.
    • Authentication—Confirms that the message was created by an entity possessing the shared secret key.


Figure 4: Message Authentication Code

Figure 4 shows the basic principles of the MAC algorithm from both perspectives—the sender and the receiver. Here are examples of algorithms and their potential applications:
      -   Example algorithms—HMAC-SHA-1/ HMAC-SHA-2, AES-GMAC, AES-XCBC-MAC
      -   Applications—Secure logging, IPsec, authenticated encryption

  • Authenticated encryption (AE)—It combines confidentiality and integrity in a single operation. While traditional encryption ensures that data remains unreadable to unauthorized parties, it does not guarantee that the data has not been altered. AE addresses this gap by integrating encryption with authentication, preventing both unauthorized access and undetected tampering. These algorithms encrypt the plaintext and simultaneously generate an authentication tag (or MAC) that verifies the integrity and authenticity of the ciphertext. During decryption, the tag is validated before the data is accepted, ensuring the detection of any modification. AE is preferable to using encryption and authentication separately because it simplifies the process and reduces security risks. When encryption and authentication are implemented independently, developers must carefully choose the execution order (for example, encrypt-then-MAC) to avoid vulnerabilities such as padding oracle or forgery attacks. This separation also increases performance overhead and the risk of human error. AE schemes, such as AES-GCM, integrate confidentiality and integrity into a single, well-defined operation, thus providing enhanced security, greater efficiency, and simplified implementation. As a result, AE has become the standard for securing sensitive data in protocols like TLS and VPNs.


Figure 5: Authenticated Encryption

AES-Galois/Counter Mode (AES-GCM) is an authenticated encryption method that combines AES encryption with Galois field-based authentication to deliver confidentiality, integrity, and authentication in a single operation. This ensures that data is protected at rest and in transit, detection of unauthorized changes, and verification of the source of the data. AES-GCM is highly efficient and parallelizable, making it ideal for high-performance environments. Figure 5 shows the basic structure of the authenticated encryption algorithm, which integrates MAC generation and integrity verification within a single algorithm. Here are examples of algorithms and their potential applications:
      -   Example algorithm—AES-GCM
      -   Applications—IPsec, TLS, and secure storage replication

  • Digital signature—They combine hashing and asymmetric key encryption to verify the authenticity and integrity of a message or document. They ensure that the data was sent by the claimed sender and has not been altered. To illustrate how this works: the sender signs a hash of the message with their private key; the recipient then verifies it using the sender’s public key.


Figure 6: Digital Signature

Figure 6 shows the process flow of a digital signature, illustrating how data is signed using a private key and later verified using the corresponding public key. It also highlights the most relevant applications—software distribution, secure communications.

  • Key exchange—The key-encapsulation mechanism (KEM) enables two parties to securely share symmetric cryptographic keys over an insecure communication channel, using asymmetric algorithms. This is a critical step in establishing encrypted communication. 

For KEM, two key aspects are worth highlighting:
      -   Example protocols—Diffie-Hellman (DH), Elliptic-curve Diffie-Hellman (ECDH)
      -   Applications—TLS/SSL connections, VPNs, secure messaging

Storage Use Cases

In today’s technology-driven environments, effective data storage management goes beyond performance and availability—it also focuses on ensuring confidentiality, integrity, and resilience against threats. Depending on the specific requirements of each application, the volume of data, and the existing infrastructure, different storage architectures are used to optimize cost, speed, and reliability. Panther V enhances these architectures by embedding hardware-accelerated encryption, authentication, and secure boot, thereby addressing the security risks inherent to each model:

  • Network-attached storage (NAS)—It offers a more flexible solution, enabling multiple users and devices to access shared files over a network. NAS is particularly useful in collaborative environments requiring centralized access to documents, backups, or multimedia content. Its ease of management and support for standard protocols—such as Server Message Block (SMB) and Network File System (NFS)—make it a popular choice for small and medium-sized businesses. NAS introduces network exposure, making it vulnerable to unauthorized access and man-in-the-middle attacks. Panther V mitigates these risks by implementing authenticated encryption for data in transit, ensuring confidentiality and integrity. It also supports message authentication, preventing tampering. Hardware acceleration ensures that encryption does not degrade performance, and secure boot guarantees the execution of trusted firmware.
  • Direct-attached storage (DAS)—It refers to storage devices that are physically connected to a single server or computer, without involving a network. This model is ideal for small-scale environments or applications that require low latency and fast data access, such as local servers or workstations. While DAS is cost-effective and easy to deploy, it offers limited scalability and does not support data sharing across multiple systems. Even though DAS lacks network isolation, physical access to the host or storage device can compromise data. To mitigate this risk, Panther V integrates encryption for data at rest, ensuring confidentiality even if the disk is stolen. It also supports real-time integrity verification to prevent silent data corruption. Additionally, secure boot ensures that only trusted firmware runs on the storage accelerator, protecting against malicious code injection.
  • Storage Area Networks (SANs)—They meet enterprise-level demands, offering high-performance, block-level storage over a dedicated network. SANs are designed for mission-critical applications such as databases, enterprise resource planning (ERP) systems, and virtualized infrastructures, where speed, reliability, and scalability are essential. Although SANs require a more complex setup, they provide robust capabilities for high availability and data redundancy. SANs are high-value targets due to the centralized storage of sensitive data. Panther V addresses this risk by encrypting high-speed block-level data streams, ensuring confidentiality and integrity. Compliance with the CNSA Suite provides government-grade security. Additionally, secure boot prevents unauthorized firmware execution, and authentication algorithms protect against tampering.
  • Remote replication—It is a key strategy for business continuity and disaster recovery. It involves copying data from a primary storage system to a secondary system located in a different geographical area. This ensures that a current and consistent copy of the data is available in case of system failure, data loss, or service interruption. Remote replication is also crucial for meeting regulatory requirements and enhancing operational resilience. Replication across networks exposes data to interception and corruption risks. Panther V secures this process with authenticated encryption during replication, ensuring confidentiality and integrity. Additionally, secure boot ensures that replication appliances run only trusted code.
  • Distributed storage clusters—They rely on technologies such as distributed file systems (for example, Ceph, GlusterFS, HDFS), object storage, consensus protocols, and high-speed networking to achieve scalability and fault tolerance. In these environments, security is critical because data is distributed across multiple nodes and networks, increasing exposure to interception and tampering. Without robust protection, attackers could manipulate or access sensitive information during transit or at rest. Encryption ensures confidentiality by preventing unauthorized access, while authentication guarantees integrity and verifies the source of data, protecting against forgery and replay attacks. Together, these mechanisms form the foundation of secure distributed storage, making them essential for compliance, trust, and resilience in modern cloud and enterprise deployments.

Each of these storage technologies serves a specific purpose within a comprehensive data management strategy. With Panther V, organizations achieve both high performance and security, ensuring resilience against physical and cyber threats while meeting regulatory and operational requirements.



Figure 7: Storage Use Cases

Panther V and Security

The Panther V solution is designed to meet robust protection requirements by integrating advanced security features directly into the hardware. It supports data encryption to safeguard sensitive information, authentication mechanisms to verify data integrity, and a secure boot process to ensure that only trusted firmware is executed at startup. By combining these capabilities, Panther V provides a comprehensive foundation for secure storage, enabling you to build resilient systems that comply with modern security standards and protect against both physical and remote attacks.

Encryption

To support robust data protection, Panther V integrates a suite of hardware-accelerated symmetric cryptographic algorithms tailored for various use cases. These include:

  • AES-Galois/Counter Mode (AES-GCM)–A widely adopted mode for authenticated encryption, combining confidentiality and integrity. The supported key lengths are 128 bits, 192 bits, and 256 bits.
  • AES-Cipher Block Chaining (AES-CBC)–Ideal for encrypting large blocks of data with strong confidentiality, commonly used in secure storage and file encryption. The supported key lengths are 128 bits, 192 bits, and 256 bits.
  • AES-Counter Mode (AES-CTR)–Suitable for high-speed encryption of streaming data, offering flexibility and parallel processing capabilities. The supported key lengths are 128 bits, 192 bits, and 256 bits.
  • AES-XEX-based Tweaked-codebook mode with Ciphertext Stealing (AES-XTS)–Optimized for disk encryption, offering enhanced security for data at rest. The supported key lengths are 128 bits, 192 bits, and 256 bits.

These algorithms enable Panther V to deliver efficient, standards-compliant encryption for secure data storage across a wide range of applications–from embedded systems to enterprise-grade solutions.

Note: Panther does not offload public key cryptography because these algorithms are primarily used for key exchange rather than bulk data encryption. Public-key operations, such as RSA or ECC, are computationally intensive but occur infrequently compared to the continuous encryption of large data streams. In contrast, symmetric key encryption is the core of the encryption process, securing bulk data efficiently and at high speed. To maximize performance and minimize latency, Panther focuses on offloading symmetric encryption algorithms to hardware, enabling compression, padding, encryption, and optional data protection in a single command. This approach delivers ultra-low latency, high throughput, and reduces I/O and memory bandwidth, making it ideal for modern distributed storage clusters.

Authentication

Panther V supports advanced authentication mechanisms to ensure data integrity and verify the authenticity of stored or transmitted information. Supported algorithms include:

  • AES-Hash-Based Message Authentication Code using SHA-1/SHA-2 (AES-HMAC-SHA-1/AES-HMAC-SHA-2)–It combines AES with the SHA-1/SHA-2 family of hash functions to generate strong authentication tags, widely used in secure communications and data validation. The AES supported key lengths are 128 bits, 192 bits, and 256 bits. The SHA-1/SHA-2 supported lengths are 160 bits, 224 bits, 256 bits, 384 bits, and 512 bits.
  • AES-Galois Message Authentication Code (AES-GMAC)–A mode of AES-GCM used specifically for authentication, providing efficient and secure message integrity verification without encryption overhead. The supported key lengths are 128 bits, 192 bits, and 256 bits.
  • AES-Extended Cipher Block Chaining Message Authentication Code (AES-XCBC-MAC)–A block-cipher-based message authentication code that uses AES in an extended CBC construction to provide strong integrity protection for variable-length messages. Commonly used in IPsec and other high-performance environments, AES-XCBC-MAC leverages AES hardware acceleration for efficiency. The supported key length is 128 bits, and the MAC output is typically 96 bits for compliance with RFC 3566.

These authentication algorithms enable Panther V to validate data origin and integrity, making it suitable for applications that require tamper detection, secure logging, and trusted data exchange.

Secure Boot

To ensure system integrity from the moment the device powers on, Panther V includes a robust secure boot mechanism. This feature verifies the authenticity and integrity of the firmware before execution, preventing unauthorized or malicious code from running on the device.

The secure boot process leverages two key cryptographic algorithms:

  • AES-Cipher Block Chaining with 256-bit key (AES-256-CBC)–It is used to decrypt and validate encrypted firmware images, ensuring confidentiality during storage and transfer, using a key length of 256 bits.
  • Elliptic Curve Digital Signature Algorithm with 384-bit key (ECDSA P-384)–It provides strong digital signature verification, confirming that the firmware originates from a trusted source and has not been tampered with.

By combining encryption and digital signature verification, Panther V guarantees a trusted boot environment. This forms the foundation for a secure system lifecycle and protects against threats such as firmware injection, rollback attacks, and unauthorized modifications. Together with encryption and secure boot, they form a comprehensive security framework, embedded directly into the Panther hardware.

Figure 8: Secure Boot

NSA compliant

This secure storage Panther V solution is engineered to meet the stringent requirements of national security systems, offering robust cryptographic capabilities aligned with the Commercial National Security Algorithm (CNSA) Suite. Fully compliant with CNSA 1.0, it supports key algorithms such as:

  • AES-256 for symmetric key encryption
  • ECDSA P-384 for digital signatures
  • SHA-384 for secure hashing

In preparation for the transition to CNSA 2.0, the device also supports AES-256 and SHA-384/SHA-512.

Conclusion

Panther V offers a comprehensive, future-ready security architecture that integrates data encryption, authentication, and secure boot capabilities. It supports a wide range of cryptographic algorithms to ensure confidentiality, integrity, and authenticity across diverse use cases.

Fully compliant with CNSA 1.0, the device is designed to meet current national security standards while preparing for the transition to post-quantum cryptography. Additionally, its architecture meets the requirements of the CAVP program—a critical prerequisite for FIPS 140-3 certification—reinforcing its suitability for deployment in defense, government, and critical infrastructure environments.

With its robust feature set and certification readiness, Panther V provides a trusted foundation for secure data storage and system integrity in high-assurance applications.

References

  • MxL890x Software Development Kit (SDK) Getting Started User Guide (210-CUG).
  • MxL890x Software Development Kit User Guide (209UG).
  • MxL890x Raw Acceleration Application Program Interface (API) Reference Guide (200AG).
  • MxL890x Storage Accelerator User Guide (204-UG).
  • MxL890x Performance Evaluation Tool User Guide (219UG).
  • MxL890x Linux Performance Application Note (294AN).
  • MxL890x Linux Performance Tuning Application Note (298AN).
  • MxL890x Software Development Kit Linux Release Notes (202-CRN).
  • MxL890x FreeBSD Performance Application Note (297AN).
  • MxL890x FreeBSD Performance Tuning Application Note (299AN).
  • MxL890x Software Development Kit FreeBSD Release Notes (209-CRN).
  • Panther Storage Acceleration SDK: Simplifying Hardware and Software Integration White Paper (005WP).
  • Panther III Storage Accelerator: Next-Generation MaxHashTM Deduplication White Paper (006-GWP).
  • Panther III Storage Accelerator: Taking Storage to the Next Level—Focus on Data Reduction White Paper (007WP).
  • Panther III Storage Accelerator: Taking Storage to the Next Level—Focus on Data Integrity White Paper (008WP).
  • The Advantages of Compression and Deduplication in the Modern Era of Data Management (011WP).
  • The Need for Data Reduction (012WP).

  • Authentication Mechanisms
  • CNSA Compliance
  • Data Encryption
  • Data Security
  • Panther
  • Secure Boot
  • Storage Accelerator
  • Storage Technologies
Company
Information
Contact Us
Careers
Maximize Your Potential

Join the MaxLinear team and help shape the future of networking and communications technology.

© 2026 MaxLinear. All Rights Reserved.