（已读）ACompactRijndaelHardwareArchitecturewithS-BoxOptimization.pdf资源-CSDN文库

PDF

需积分: 13 26 浏览量 2020-02-12 19:36:46 上传评论收藏 696KB PDF 举报

资源推荐

资源详情

资源评论

A Compact Rijndael Hardware Architecture

with S-Box Optimization

Akashi Satoh, Sumio Morioka, Kohji Takano, and Seiji Munetoh

IBM Research, Tokyo Research Laboratory, IBM Japan Ltd., 1623-14,

Shimotsuruma, Yamato-shi, Kanagawa 242-8502, Japan

{akashi,e02716,chano,munetoh}@jp.ibm.com

Abstract. Compact and high-speed hardware architectures and logic

optimization methods for the AES algorithm Rijndael are described.

Encryption and decryption data paths are combined and all arithmetic

components are reused. By introducing a new composite ﬁeld, the S-Box

structure is also optimized. An extremely small size of 5.4 Kgates is ob-

tained for a 128-bit key Rijndael circuit using a 0.11-µm CMOS standard

cell library. It requires only 0.052 mm

of area to support both encryp-

tion and decryption with 311 Mbps throughput. By making eﬀective use

of the SPN parallel feature, the throughput can be boosted up to 2.6

Gbps for a high-speed implementation whose size is 21.3 Kgates.

1 Introduction

DES (Data Encryption Standard) [14,1], which is a common-key block cipher

for US federal information processing standards, has also been used as a de

facto standard for more than 20 years. NIST (National Institute of Standard

Technology) has selected Rijndael [2] as the new Advanced Encryption Standard

(AES) [13]. Many hardware architectures for Rijndael were proposed and their

performances were evaluated by using ASIC libraries [8,18,10,9] and FPGAs [3,

17,6,11,5]. However, they are simple implementations according to the Rijndael

speciﬁcation, and none are yet small enough for practical use. The AES has to be

embeddable not only in high-end servers but also in low-end consumer products

such as mobile terminals. Therefore, sharing and reusing hardware resources,

and compressing the gate logic are indispensable to produce a small Rijndael

circuit.

The SPN structure of Rijndael is suitable for highly parallel processing, but

it usually requires more hardware resources compared with the Feistel structure

used in many other ciphers developed after DES. This is because, all data is

encoded in each round of Rijndael processing, while only half of data is processed

at once in DES. In addition, Rijndael has two separate data paths for encryption

and decryption.

In this paper, we describe a compact data path architecture for Rijndael,

where the hardware resources are eﬃciently shared between encryption and de-

cryption. The key arithmetic component S-Box has been implemented using

C. Boyd (Ed.): ASIACRYPT 2001, LNCS 2248, pp. 239–254, 2001.

 Springer-Verlag Berlin Heidelberg 2001

240 A. Satoh et al.

look-up table logic or ROMs in the previous approaches, which requires a lot

of hardware support. Reference [16] proposed the use of composite ﬁeld arith-

metic to reduce the computation cost of the S-Box, but no detailed hardware

implementation was provided. Therefore, we propose a methodology to optimize

the S-Box by introducing a new composite ﬁeld, and show its advantages in

comparison to the previous work.

2 Rijndael Algorithm

Fig. 1 shows a Rijndael encryption process for 128-bit plain text data string and

a 128-bit secret key, with the number of rounds set to 10. These numbers are

used throughout this paper, including for our hardware implementation. Each

round and the initial stage requires a 128-bit round key, and thus 11 sets of round

keys are generated from the secret key. The input data is arranged as a 4 × 4

matrix of bytes. The primitive functions SubBytes, ShiftRows and MixColumns

are based on byte-oriented arithmetic, and AddRoundKey is a simple 128-bitwise

XOR operation.

SubBytes is a nonlinear transformation that uses 16 byte substitution ta-

bles (S-Boxes). An S-Box is the multiplicative inverse of a Galois ﬁeld GF (2

)

followed by an aﬃne transformation. In the decryption process, the aﬃne trans-

formation is executed prior to the inversion. The irreducible polynomial used by

a Rijndael S-Box is

m(x)=x

+ x

+ x +1. (1)

ShiftRows is a cyclic shift operation of the last three rows by diﬀerent oﬀsets.

MixColumns treats the 4-byte data in each column as coeﬃcients of a 4-term

polynomial, and multiplies the data modulo x

+ 1 with the ﬁxed polynomial

given by

c(x)={03}x

+ {01}x

+ {01}x + {02}. (2)

In the decryption process, InvMixColumns multiplies each column with the poly-

nomial

−1

(x)={0B}x

+ {0D}x

+ {09}x + {0E} (3)

and InvShiftRows shifts the last three rows in the opposite direction from

ShiftRows.

The key expander in Fig. 1 generates 11 sets of 128-bit round keys from one

128-bit secret key by using a 4-byte S-Box. These round keys can be prepared on

the ﬂy in parallel with the encryption process. In the decryption process, these

sets of keys are used in reverse order. Therefore, all keys have to be generated and

stored in registers in advance, or the ﬁnal round key in the encryption process

has to be pre-calculated for on-the-ﬂy key scheduling. Because the ﬁrst method

requires the equivalent of a 1,408-bit register (128 bits × 11), and is not suitable

242 A. Satoh et al.

The “Enc/Dec block” has 16-byte data registers, and they execute ShiftRows

(or InvShiftRows) operations by themselves. Each 4-byte column is transformed

by four parallel S-Boxes as SubBytes (or InvSubBytes). The order of ShiftRows

and SubBytes is diﬀerent from that in Fig. 1, though this does not aﬀect the

operations’ results.

Selectors change the circuit state between encryption and decryption. The

data path

−1

→ x

−1

→ δ

−1

and aﬃne → MixColumns

is selected for encryption, and the path

aﬃne

−1

and δ

−1

→ x

−1

→ δ

−1

→ InvMixColumns

is used for decryption. δ

−1

and δ are isomorphism functions for ﬁeld conversions.

Details are described in Section 4.

By moving InvMixColumns from the front of each S-Box to the back, Mix-

Columns and InvMixColumns can be merged and some selectors are eliminated.

As a result, the circuit size and the critical path length are reduced. An addi-

tional InvMixColumns is required in the key expander, but the area impact is

minor.

3.2 S-Box Sharing with Key Expander

The key expander reuses the S-Boxes in the encryption/decryption block to

generate a 128-bit key in each round. The S-Boxes are used once by the key

expander, and four times by the encryption/decryption block, for a total of ﬁve

times in every round. While the key expander uses the S-Boxes, the ShiftRows (or

InvShiftRows) operation is executed simultaneously. As shown in Fig. 1, only the

AddRoundKey operation is executed in the initial round, and the MixColumns

(or InvMixColumns for decryption) is omitted in the ﬁnal round. This operation

switching is carried out by controlling the 4:1 selector at the bottom of Fig. 2.

The ﬁrst round key used in AddRoundKey is the initial key data stored in the

key registers, and a transformation with the S-Boxes is not necessary. Therefore

the ﬁrst round takes four cycles, and the entire encryption process takes 54 (=

4+5× 10) cycles. The decryption process also takes 54 cycles. When a new

secret key is provided, the key expander takes 10 cycles to generate the initial

decryption key, which is the ﬁnal round key in the encryption.

As described in Section 2, Rcon[i] is a 4-byte constant value, and the highest

order byte is generated by modular multiplication on GF (2

). The circuit RC in

Fig. 3 generates the constant values sequentially during the encryption process,

starting from {01}, and RC

−1

calculates the same values in reverse order from

{36}. These circuits are also merged as shown in this ﬁgure.

剩余15页未读，继续阅读

评论收藏

内容反馈

一把过

粉丝: 0
资源: 1

（已读）A Compact Rijndael Hardware Architecture with S-Box Optimiza...

最新资源

（已读）A Compact Rijndael Hardware Architecture with S-Box Optimiza...

AES-Rijndael.zip_AES_delphi aes _rijndael .p_rijndael-alg-fst_ri

Rijndael-Inspector-v1.1

AES_Rijndael算法协处理器设计与实现.pdf

Rijndael S-box方程组的生成和优化

Rijndael_Animation_v4_eng AES...

Rijndael-Inspector-v1.1.zip_AES flash_Rijndael_Rijndaelinspector

rijndael-vc源码.zip_ Rijndael_Rijndael_Vc_rijndael c++

AES-Rijndael.rar_Rijndael_aes-256_encryption_js AES_js a

An Introduction to Cryptography - 2nd Edition - 2007

AES.rar_AES_Rijndael_Rijndael-192_aes-256_分组 加密 算法

tiny-AES-c-master.zip

Springer.The.Design.of.Rijndael.AES.Mar.2002.rar

Springer.The Design of Rijndael AES.pdf

HIME 系列加密lib

AES-Rijndael算法介绍.docx

基于BES的AES S-box方程组

rar爆破_AdvancedRARPassword.7z

论文研究-一种基于Rijndael的图像加密方法.pdf

基于Rijndael加密算法的多功能智能云锁系统研究.pdf

BurpLoaderKeygen.jar.zip

最新版ISO/IEC 27001:2022、ISO 27002:2022中英文合集

Goby红队版-win-x64-2.4.7版本

Chrome Header Editor 插件

ISO SAE 21434-2021 中文版.pdf

OpenVAS GVM 中文翻译补丁

安全认证cisp教材全套

STM32F103C8T6核心板-电路原理图1.PDF

软件工程导论(第六版)课后习题答案1

最新资源

AES.rar_AES_Rijndael_Rijndael-192_aes-256_分组加密算法