Professional Documents
Culture Documents
Document A
Article ID
I 28
output
Cipher text
1 lntraductlon
AES is a new symmetric block cipher standard, which was
issued by the National institute of standards and technology
(NIST) on November 26, 2001 111. There have been many
studies on hardware implementations of the AES algorithm
using FPGAs [2-4] and ASIC libraries [ 5 , 6 ] .
The AES consists of an initial round key addition, variable
Nr-1 rounds and a final round, and Nr is 10, 12, or 14 depending
on the key length. The round is composed of sixteen 8 bit
S-Boxes computing SubBytes, 128 bit block ShiftRows, and
four 32 bit Mixcolumns operations. Equivalent decryption
structure has exactly the same sequence of transformations as
in the encryption structure. The AES encryption structure
Received date 2007-02-25
XING Ji-peng (~-), ZOU Xue-cheng, GUO Xu
Research Center for VLSI and Systems, Department of Electronic Science
and Technology, Huazhong University o f Science and Technology,
Wuhan 430074, China
E-mail jpxing@ 126 corn
No. 1
Average power
(mW@ 10M H ~ )
24.7
10.7
9.30
x 90
Ratio'%
46
20
17
17
2 Relatedworks
There exists rich literature devoted to the efficient design of
cryptographic S-Boxes, all of which can be divided into three
basic ways.
The first one is constructing circuit directly from the
truth-table of the S-Boxes. Simply, an asynchronous ROM
with 256 bytes for each S-Boxes could be instantiated. Since
ROMs do not have good electrical characteristics and short
response time, combinatorial logic is chosen for the implementation of S-Boxes. The second method is implementing
multiplicative inverse and affine transform with combinatorial
circuits using look-up tables or direct relationship between
input and output values of the S-Boxes. The third approach is
implementing the S-Boxes by combinatorial logic using its
arithmetic properties.
For the second approach, the S-Boxes hardware can be
achieved from its truth table by using two-level logic, such as
sum of products (SOP), or by using decision diagrams, such as
binary decision diagram (BDD) [9]. In addition, the decoderwwitch-encoder structure (DSE) [ 101 is developed, which is
more efficient than straight-forward implementation of a
hardware look-up table (LUT) in terms of delay and power,
while both of them directly use the input-output relations.
For the third approach, the implementation of multiplicative
inverse in the composite field (denoted as GF) [7], which can
create compact structures, is well studied to substitute the
original implementation in the Galois field GF(2'). Then, after
converting some parts of the GF S-Boxes into two-level logic,
a power-optimized structure called 3-stage positive polarity
AES
113
Average power
10MHz)
478
289
189
0.003
w@
Ratio/%
100
60.5
39.5
=0
114
2008
Y = x,+x,
Y,=X,+X,
(3)
E Lxxxxooxx a
xxxxolxx c3
xxxxloxx
xxxx I 1xx
33xxooxxxx
xx01xxxx c3
xxloxxxx 13
Fig. 2
xx I I xxxx
3x. l x , bx. /i
I
llXXXXXX
olxxxxxx 13
Ioxxxxxx a
II
xxxxxx
No. 1
Y = x, + x,+ x,+ x,
---Y = x,.x,*x2.x,
(4)
(5)
-~
Y = X" +x,*x,
+x,
(6)
Adopting the above three methods, the improved encoder
structure is shown in Fig. 4 in detail. Figure 4(a) shows the
generation of outputs Oo and O,, while the outputs of all
stages are not able to be reused. Figure 4(b) shows the
generation of outputs 02-07,
and the outputs of 1-stage can be
reused at high ratio.
115
- ---
Y = x,*x,+ x2*x,*x,.x,
+ x,.x7
(8)
Y = (x,=x,
+ x,*x,)+ (x,*x,+ x,*x7)
(9)
-- --
2nd stage
3rd stage
2'
256 NOR 2
16 OR 2
2 INV& 4 NAND 2
Fig. 5 Improved decoder architecture
5 Slmulatlon resub
""
63 NOR 4
116
Architecture
Delaylns
Size,gate
LUT
GF
4.54
8.04
6.70
4.46
1.15
3.17
2.92
573
373
709
575
3283
780
670
PPRM
SOP
BDD
DSE
DSE
"
LUT
GF
PPRM
SOP
Average Power
(FWOIOMHZ)
180
478
111
156
1744
76
68
DSE
IDSE
2008
6 Conclurlons
In this paper, we have developed an improved DSE
architecture for low critical path delay, small size and
low-power S-Boxes circuits. The designed S-Boxes for AES
cryptography, using optimized balanced architectures of
3-stage decoder and 4-stage encoder, is applicable to security
applications which require high speed, compact area and
power-efficiency. The power consumption of S-Boxes circuits
can be reduced by avoiding the creation and propagation of
dynamic hazards, and the silicon size and the critical path
delay can be decreased by optimizing the logic at gate level.
Simulation results obtained at 10 MHz using a UMC 0.25 Fm
1.8 V CMOS technology, show that the delay, gate count and
power consumption are reduced by 8%. 14% and 10%
respectively compared with the original DSE S-Boxes.
Moreover, we have analyzed and compared two cost metrics
of the six selected S-Boxes implementations. Our proposed
IDSE S-Boxes achieves the smallest power-area product and
power-delay product. Insofar to our knowledge, it is the
lowest power S-Boxes circuit among all known S-Boxes
architectures.
Acknowledgements This work is supported by the Hi-Tech Research
and Development Program of China (2006AAOlZ226), HUST-SRF
(2006ZOl lB), Program for New Century Excellent Talents in
University and the Natural Science Foundation of Hubei
(2006ABA080).
References
"
LUT
GF
PPRM
SOP
DSE
IDSE
No. 1
From p. 101
22. Lye Wil Liam, Chekima A, Liau Chung Fan, et al. Iris
recognition using self- organizing neural network. Proceedings of
Student Conference on Research and Development, Jul 16-17,
2002, Shah Alam, Malaysia. Piscataway, NJ, USA: IEEE, 2002:
169-1 72
23. University of Bath Iris image database. http://www.bath.ac.uW
elec-eng/research/sipg/irisweb/index.htm[Bath].
117
26-28, 2004, Boston, MA, USA. New York, NY, USA: ACM
Press, 2004: 277-281
11. Rabaey J M, Chandrakasan A, Nikolic B. Digital Integrated
circuits: A design perspective. 2nd ed. Upper Saddle River, NJ,
USA: Prentice-Hall, 2003
12. Tillich S, Feldhofer M, GroBschadl J . Area, Delay, and Power
Characteristics of Standard-Cell Implementations of the AES
S-boxes. Proceedings of 6th Workshop on Embedded Computer
Systems: Architectures, Modeling, and Simulation. Samos
(SAMOS06). Jul 17-20, 2006, Samos, Greece. Heidelberg,
Germany: Springer Verlag, 22006: 457-466