Atomic-AES . A Compact Implementation of the AES - - PowerPoint PPT Presentation

.

Atomic-AES

.

A Compact Implementation of the AES Encryption/Decryption Core

.

by

.

Subhadeep Banik

.

Sep 30, 2016

Joint work with Andrey Bogdanov, Francesco Regazzoni Asian Symmetric Key Workshop, Nagoya, 2016

.

Introduction

.

1/73

. .

Introduction

.

Introduction

.

Introduction

.

2/73

• Good Morning to all !!!
• Compact Implementation of AES ENC/DEC Circuit. Why

ENC+DEC ?

Many modes like CBC, ELmD, COPA need ENC+DEC access.

• Serial AES Circuit by Moradi et al. [Eurocrypt 11]

One of the smallest at 2400 GE. Encrypt only. Description of structure, datapath and functioning.

• Atomic-AES : Both Encrypt and Decrypt supported.

Based on the Moradi circuit: 2645 GE: ENC/DEC latency: 226 cycles. Grain of Sand (Feldhofer et al. IEEE IS 05): 3400 GE, 1032/1165 cycles. Description of structure, datapath and functioning.

.

Serial Implementation

.

3/73

. .

SerialImplementation

.

Serial vs Round based

.

Serial Implementation

.

4/73 SReg KReg

RF KS

Plaintext Key Ciphertext

• One round computed per clock cycle: No resource sharing.
• AES → 20 S-boxes per round !!
• Smallest: Canright [CHES 04], Boyar-Peralta [JOC 11]

Forward S-box: 200GE approx: Hence 4000 GE for S-boxes alone!! AES Encryption ckt: 8000 GE.

.

Serial vs Round based

.

Serial Implementation

.

5/73

Tradeoffs

• Imagine AES circuit with only 8 S-box circuits.
• Atleast 3 cycles to do Substitution layer of one round.

Substitution layer for 8-bytes of state can be computed in one cycle. Atleast 3*10=30 cycles for one encryption → more latency.

• Most compact circuit: One S-box.

Needs atleast 20*10=200 cycles for one encryption.

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

6/73

. .

8-bitserialAEScircuit (MoradietalEurocrypt11)

.

Moradi et al Eurocrypt 11

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

7/73

Circuit Description

• 16 banks of byte size registers ‘00’ to ‘33’ for the state.
• Similar arrangenment for the key.

.

Moradi et al Eurocrypt 11

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

8/73

Circuit Description

• Each byte sized state register takes two inputs.
• One for serial loading and unloading, second for Shiftrow.

.

Moradi et al Eurocrypt 11

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

9/73

Circuit Description

• The connections in key register helps to do keyschedule.
• Two data movements: horizontal and vertical.

.

Moradi et al Eurocrypt 11

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

10/73

Circuit Description

• Scan flip-flops for each register: 6 GE.
• D Flip-flop + Mux takes 7.33 GE: save 1.33 GE per bit.

.

Moradi et al Eurocrypt 11

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

11/73

Circuit Description

• Only one S-box and one 8-bit xor for ARK (not shown).
• S-box uses Canright architecture.

.

Moradi et al Eurocrypt 11

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

12/73

Circuit Description

• Mixcolumn implemented as logic block in {0, 1}32 → {0, 1}32.
• Takes 4 cycles to compute over the state.

.

Moradi et al Eurocrypt 11

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

13/73

Circuit Description

• 32 bit Mux after Mixcolumn for 10th round bypass.
• 8 bit Mux before S-box to choose between state, key.

.

Moradi et al Eurocrypt 11

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

14/73

Circuit Description

• Round is computed in 21 cycles, encryption in 226 cycles.
• Special 21 cycle LFSR generates all control signals.

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

15/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K0 K0 P0 S0 = S(P0 + K0) S0

Round 0, Cycle 5

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

16/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K1 K1 P1 S1 = S(P1 + K1) S1

Round 0, Cycle 6

S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

17/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K2 K2 P2 S2 = S(P2 + K2) S2

Round 0, Cycle 7

S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

18/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K3 K3 P3 S3 = S(P3 + K3) S3

Round 0, Cycle 8

S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

19/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K4 K4 P4 S4 = S(P4 + K4) S4

Round 0, Cycle 9

S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

20/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K5 K5 P5 S5 = S(P5 + K5) S5

Round 0, Cycle 10

S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

21/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K6 K6 P6 S6 = S(P6 + K6) S6

Round 0, Cycle 11

S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

22/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K7 K7 P7 S7 = S(P7 + K7) S7

Round 0, Cycle 12

S6 K6 S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

23/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K8 K8 P8 S8 = S(P8 + K8) S8

Round 0, Cycle 13

S7 K7 S6 K6 S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

24/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K9 K9 P9 S9 = S(P9 + K9) S9

Round 0, Cycle 14

S8 K8 S7 K7 S6 K6 S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

25/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

KA KA PA SA = S(PA + KA) SA

Round 0, Cycle 15

S9 K9 S8 K8 S7 K7 S6 K6 S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

26/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

KB KB PB SB = S(PB + KB) SB

Round 0, Cycle 16

SA KA S9 K9 S8 K8 S7 K7 S6 K6 S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

27/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

KC KC PC SC = S(PC + KC) SC

Round 0, Cycle 17

SB KB SA KA S9 K9 S8 K8 S7 K7 S6 K6 S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

28/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

KD KD PD SD = S(PD + KD) SD

Round 0, Cycle 18

SC KC SB KB SA KA S9 K9 S8 K8 S7 K7 S6 K6 S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

29/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

KE KE PE SE = S(PE + KE) SE

Round 0, Cycle 19

SD KD SC KC SB KB SA KA S9 K9 S8 K8 S7 K7 S6 K6 S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

30/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

KF KF PF SF = S(PF + KF) SF

Round 0, Cycle 20

SE KE SD KD SC KC SB KB SA KA S9 K9 S8 K8 S7 K7 S6 K6 S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow-SR+MC+ARK+SB

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

31/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K0 S0

Round 1, Cycle 0

SF KF SE KE SD KD SC KC SB KB SA KA S9 K9 S8 K8 S7 K7 S6 K6 S5 K5 S4 K4 S3 K3 S2 K2 S1 K1 S0 K0

.

Data flow-SR+MC+ARK+SB

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

32/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K0 S0 F7 = S(K7)

Round 1, Cycle 1

SE KF SD KE SC KD SF KC S9 KB S8 KA SB K9 SA K8 S4 K7 S7 K6 S6 K5 S5 K4 S3 K3 S2 K2 S1 K1 S0 K0 M0 M4 M8 MC K7 F7 L0 = K0 + F7 + RC

.

Data flow-SR+MC+ARK+SB

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

33/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K0 S0 FB = S(KB)

Round 1, Cycle 2

MC K3 SE K2 SD K1 SC L0 M8 KF S9 KE S8 KD SB KC M4 KB S4 KA S7 K9 S6 K8 M0 K7 S3 K6 S2 K5 S1 K4 M1 M5 M9 MD KB FB L4 = K4 + FB

.

Data flow-SR+MC+ARK+SB

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

34/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K0 S0 FF = S(KF)

Round 1, Cycle 3

MD K7 MC K6 SE K5 SD L4 M9 K3 M8 K2 S9 K1 S8 L0 M5 KF M4 KE S4 KD S7 KC M1 KB M0 KA S3 K9 S2 K8 M2 M6 MA ME KF FF L8 = K8 + FF

.

Data flow-SR+MC+ARK+SB

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

35/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

K0 S0 F3 = S(K3)

Round 1, Cycle 4

ME KB MD KA MC K9 SE L8 MA K7 M9 K6 M8 K5 S9 L4 M6 K3 M5 K2 M4 K1 S4 L0 M2 KF M1 KE M0 KD S3 KC M3 M7 MB MF K3 F3 LC = KC + F3

.

Data flow-SR+MC+ARK+SB

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

36/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

L0 L0 M0 T0 = S(L0 + M0) T0

Round 1, Cycle 5

MF KF ME KE MD KD MC LC MB KB MA KA M9 K9 M8 L8 M7 K7 M6 K6 M5 K5 M4 L4 M3 K3 M2 K2 M1 K1 M0 L0 L1

.

Data flow-SR+MC+ARK+SB

.

8-bit serial AES circuit (Moradi et al Eurocrypt 11)

.

37/73

MIX COLUMN SBOX

RoundKey RoundKey

KEY TEXT ENCOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELXOR

SELRC RC

L1 L1 M1 T1 = S(L1 + M1) T1

Round 1, Cycle 6

T0 L0 MF KF ME KE MD KD MC LC MB KB MA KA M9 K9 M8 L8 M7 K7 M6 K6 M5 K5 M4 L4 M3 K3 M2 K2 M1 L1 L2

.

Atomic AES

.

38/73

. .

AtomicAES

.

Principal Issues: Inverse Shiftrow

.

Atomic AES

.

39/73

• Implement Shiftrow and Inverse Shiftrow in same setup.

Potentially one extra Mux for each 8-bit register.

• Can we do better?

Observation 1

For the 0th and the 2nd rows of the AES state, Shiftrow and Inverse Shiftrow bring about the same transformation. ⇒ No change of logic required in the 0th and 2nd rows !!

.

Principal Issues: Inverse Shiftrow

.

Atomic AES

.

40/73

• Implement Shiftrow and Inverse Shiftrow in same setup.

Potentially one extra Mux for each 8-bit register.

• Can we do better?

Observation 2

For the 1st and the 3rd rows of the AES state, Shiftrow and Inverse Shiftrow bring about opposite transformations. Which is to say, that the Shiftrow operation on the 1st row brings about the same transformation as the Inverse Shiftrow on the 3rd row and vice versa.

.

Principal Issues: Inverse Shiftrow

.

Atomic AES

.

41/73

32 8

00 01 02 03 10 11 12 13 20 21 22 23 30 31 32 33

• Each register has 2 connections
• 1. Serial loading/unloading 2. Shiftrows
• For regs 10,11,12 both connections are same.

Rewire second connection for Shiftrow−1. Extra mux required for 13. No changes in third row except extra mux required for 33 !! Why ?

.

Principal Issues: Inverse Shiftrow

.

Atomic AES

.

42/73

32 8

00 01 02 03 10 11 12 13 20 21 22 23 30 31 32 33

• Each register has 2 connections
• 1. Serial loading/unloading 2. Shiftrows
• For regs 10,11,12 both connections are same.

Rewire second connection for Shiftrow−1. Extra mux required for 13. No changes in third row except extra mux required for 33 !! Why ?

.

Principal Issues: Inv. Keyschedule

.

Atomic AES

.

43/73

• K0, K1, K2, K3 → Current roundkey column
• L0, L1, L2, L3

→ Next roundkey column

L0 = K0 ⊕ F(K3), L1 = K1 ⊕ L0, L2 = K2 ⊕ L1, L3 = K3 ⊕ L2

• For Decryption, roundkeys generated in reverse order

Given L0, L1, L2, L3 we need to generate K0, K1, K2, K3. K3 = L2 ⊕ L3 K2 = L1 ⊕ L2 K1 = L0 ⊕ L1 K0 = F(K3) ⊕ L0 = F(L2 ⊕ L3) ⊕ L0

• What modification to Key register circuit is needed ???

.

Principal Issues: Inv. Keyschedule

.

Atomic AES

.

44/73

RoundKey

SBIN

SBOUT

SELXOR SELED

SELRC RC/RC−1

00 01 02 03 10 11 12 13 20 21 22 23 30 31 32 33

• How does this help ???

.

Principal Issues: Inv. Keyschedule

.

Atomic AES

.

45/73

L00

5

L01

6

L00 L02

7

L03

8

L02 L01 L00 L01 L00 L10

9 10 11 12

K03 K02 K01 L00 L11 L10 K03 K02 K01 L00 L12 L11 L10 K03 K02 K01 L00 L13 L11 K03 K02 K01 L12 L10 L00

13 14

L20 K13 K12 K11 L10 K03 K02 L21 L20 K13 K12 K11 L10 K03 K01 L00 K02 K01 L00

SELED = 1

• Let L0i, L1i, L2i, L3i denote the 4 key bytes in the column Li

Set SELED to 1 only during cycles 8, 12, 16, 20. Serially load the key bytes from 5-20.

.

Principal Issues: Inv. Keyschedule

.

Atomic AES

.

46/73

L00

5

L01

6

L00 L02

7

L03

8

L02 L01 L00 L01 L00 L10

9 10 11 12

K03 K02 K01 L00 L11 L10 K03 K02 K01 L00 L12 L11 L10 K03 K02 K01 L00 L13 L11 K03 K02 K01 L12 L10 L00

13 14

L20 K13 K12 K11 L10 K03 K02 L21 L20 K13 K12 K11 L10 K03 K01 L00 K02 K01 L00

SELED = 1

• After cycle 20, the Key register contains L0, K1, K2, K3.

Compute F(K3) in cycles 1-4 as during encryption and add to L0. At the beginning of next cycle 5, entire roundkey is available.

.

Principal Issues: Operation Flow

.

Atomic AES

.

47/73

• 1. Add whitening key.
• 2. Rounds 1 to 9
• A. Sub. Layer, B. Shiftrows, C. Mixcolumn, D. Add roundkey
• 3. Round 10
• A. Sub. Layer, B. Shiftrows, C. Add roundkey

Encryption Round

Shiftrow → Mixcolumn → Add roundkey + S-box of next round

.

Principal Issues: Operation Flow

.

Atomic AES

.

48/73

• 1. Add whitening key.
• 2. Rounds 1
• A. Inv Sub. Layer, B. Inv Shiftrows, C. ARK
• 3. Round 2-10
• A. Inv Mixcolumn, B. Inv Sub. Layer, C. Inv Shiftrows, D. ARK

Decryption Round ??

Shiftrow−1 → Mixcolumn−1 → ARK + S-box−1 of next round

• Used in Satoh [AC 01]. Reverses order of MC−1 and ARK.

Requires MC−1(K) to work → Additional Time or Latency

.

Principal Issues: Operation Flow

.

Atomic AES

.

49/73

• 1. Add whitening key.
• 2. Rounds 1
• A. Inv Sub. Layer, B. Inv Shiftrows, C. ARK
• 3. Round 2-10
• A. Inv Mixcolumn, B. Inv Sub. Layer, C. Inv Shiftrows, D. ARK

Decryption Round ??

Mixcolumn−1 → Shiftrow−1 → S-box−1 + ARK

• Mirror inverse of Encryption round.

MC−1(K) not required.

.

Atomic-AES

.

Atomic AES

.

50/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

00 01 02 03 10 11 12 13 20 21 22 23 30 31 32 33 00 01 02 03 10 11 12 13 20 21 22 23 30 31 32 33

.

Data flow

.

Atomic AES

.

51/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

L0 C0 C0 U0 = C0 + L0 U0 L0

Round 0, Cycle 5

.

Data flow

.

Atomic AES

.

52/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

L1 C1 C1 U1 = C1 + L1 U1 L1

Round 0, Cycle 6

U0 L0

.

Data flow

.

Atomic AES

.

53/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

L2 C2 C2 U2 = C2 + L2 U2 L2

Round 0, Cycle 7

U1 L1 U0 L0

.

Data flow

.

Atomic AES

.

54/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

L3 C3 C3 U3 = C3 + L3 U3 K3

Round 0, Cycle 8

U2 L2 U1 L1 L0 K2 K1 U0

.

Data flow

.

Atomic AES

.

55/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

L4 C4 C4 U4 = C4 + L4 U4 K3

Round 0, Cycle 9

U3 U2 K2 K1 U1 U0 L0 L4

.

Data flow -IMC-ISR-ISB-ARK

.

Atomic AES

.

56/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

L7 C7 C7 U7 = C7 + L7 U7 K7

Round 0, Cycle 12

U6 K2 U5 K1 L0 K6 K5 U4 L4 L5 L6 K3 U0 U1 U2 U3

.

Data flow -IMC-ISR-ISB-ARK

.

Atomic AES

.

57/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

L8 C8 C8 U8 = C8 + L8 U8 L8

Round 0, Cycle 13

U6 K2 U5 K1 L0 K6 K5 U4 L4 K3 U0 U1 U2 U3 K7 U7

.

Data flow -IMC-ISR-ISB-ARK

.

Atomic AES

.

58/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

LF CF CF UF = CF + LF UF KF

Round 0, Cycle 20

UE KA UD K9 L8 KE KD UC LC LD LE KB U8 U9 UA UB L0 K1 K2 L4 U0 U1 U2 K7 K3 K5 K6 U7 U4 U5 U6 U3

.

Data flow -IMC-ISR-ISB-ARK

.

Atomic AES

.

59/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

UF KF

Round 1, Cycle 0

UE KA UD K9 L8 KE KD UC LC KB U8 U9 UA UB L0 K1 K2 L4 U0 U1 U2 K7 K3 K5 K6 U7 U4 U5 U6 U3 I0 I1 I2 I3 UC U8 U0 U4

.

Data flow -IMC-ISR-ISB-ARK

.

Atomic AES

.

60/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

F7 = S(K7) F7 UF KF

Round 1, Cycle 1

UE KA UD K9 L8 KE KD LC KB U9 UA UB L0 K1 K2 L4 U1 U2 K7 K3 K5 K6 U7 U5 U6 U3 UC U8 U0 U4 K7 K0 = L0 + F7 + RC UD U9 U1 U5

.

Data flow -IMC-ISR-ISB-ARK

.

Atomic AES

.

61/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

FB = S(KB) FB UF KF

Round 1, Cycle 2

UE KA K9 L8 KE KD LC KB UA UB K0 K1 K2 L4 U2 K7 K3 K5 K6 U7 U6 U3 UC U8 U0 U4 KB K4 = L4 + FB UD U9 U1 U5 UE UA U2 U6

.

Data flow -IMC-ISR-ISB-ARK

.

Atomic AES

.

62/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

F3 = S(K3) F3 UF KF

Round 1, Cycle 4

UE KA K9 K8 KE KD LC KB UA UB K0 K1 K2 K4 U2 K7 K3 K5 K6 U7 U6 U3 UC U8 U0 U4 K3 KC = LC + F3 UD U9 U1 U5

.

Data flow -IMC-ISR-ISB-ARK

.

Atomic AES

.

63/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

K0 U0 V0 = S−1(U0) UC KF

Round 1, Cycle 5

UF KA K9 K8 KE KD KC KB U8 U9 K0 K1 K2 K4 U2 K7 K3 K5 K6 U6 U5 U3 UD UA U0 U7 UE UB U1 U4 W0 = V0 + K0 W0 K0

.

Data flow -IMC-ISR-ISB-ARK

.

Atomic AES

.

64/73

MIX COLUMN / INV MIX COLUMN SBOX/

RoundKey RoundKey

SBOX−1

KEY TEXT ENCOUT DECOUT

StateOUT SBIN SBOUT

SBIN

32 SBOUT

MCIN 32

8 StateOUT SELAK1 SELAK2 SELXOR

SELED

SELRC RC/RC−1

K1 U1 V1 = S−1(U1) UC KF

Round 1, Cycle 6

UF KA K9 K8 KE KD KC KB U8 U9 K1 K2 K4 U2 K7 K3 K5 K6 U6 U5 U3 UD UA U7 UE UB U1 U4 W1 = V1 + K1 W1 K1 W0 K0

.

Atomic-AES: Operations

.

Atomic AES

.

65/73

ENCRYPTION 1-4 5-20 1-4 5-20 5-20 DECRYPTION 0-3 4

Add Whitening Key + S-box of 1st round Store Key serially Add roundkey + S-box of next round Compute roundkey + Store it serially State Key State Key Round 1-10 Round 1-10 1-10 State Key Shiftrow Frozen Mixcolumn Compute F(K3) Store Key serially (with SELED=1 at 8,12,16,20) Store Key serially (with SELED=1 at 8,12,16,20) Add Whitening Key Inverse S-box + Add roundkey Frozen Compute F(K3) Mixcolumn−1 Shiftrow−1

.

Atomic-AES: Additions

.

Atomic AES

.

66/73

• 1. 2 additional 8-bit multiplexers in the state datapath,
• 2. 3 additional 8-bit xor gates in the key datapath,
• 3. 24 additional and gates in the key datapath,
• 4. 1 additional 8-bit multiplexer, 1 additional 8-bit xor gate,

16 additional and gates during state-key addition,

• 5. Other additional logic required to implement
• a. S-box and its inverse,
• b. Mixcolumn and its inverse,
• c. Round constants and their inverses.

.

S-box

.

Atomic AES

.

67/73

• A discussion on AES S-box architectures can take over 5

hours.

• Most use tower field representations of GF(28)
• Architecture proposed by Canright [CHES 04]

Using normal bases to represent GF(28) One of the most compact representations of Rijndael S-box.

• Improved by Boyar-Peralta [JOC 11] (Forward S-box)
• We use this architecture.

.

Mixcolumn + Inverse

.

Atomic AES

.

68/73

    14 11 13 9 9 14 11 13 13 9 14 11 11 13 9 14     =     2 3 1 1 1 2 3 1 1 1 2 3 3 1 1 2     ·     5 4 5 4 4 5 4 5    

• Premultiply of input column by the Circulant(5, 0, 4, 0):

y3 = xxtime(x3 ⊕ x1) ⊕ x3, y2 = xxtime(x2 ⊕ x0) ⊕ x2 y1 = xxtime(x3 ⊕ x1) ⊕ x1, y0 = xxtime(x2 ⊕ x0) ⊕ x0

.

Mixcolumn + Inverse

.

Atomic AES

.

69/73 Multiply By

    5 0 4 0 0 5 0 4 4 0 5 0 0 4 0 5    

AES Mixcolumn

ENC/DEC

MCIN MCOUT

• The multiplication block takes exactly 58 xor gates
• Mixcolumn takes 108 gates.
• Entire ckt in 108 + 58 = 166 gates and 32 bit multiplexer.

.

Other features

.

Atomic AES

.

70/73

• Round constants implemented using LUTs.
• If r is current round then:

ENCRC: LUT(r), DECRC: LUT(11 − r)

• Use a 4-bit mux to filter r or 11 − r and input to LUT.
• All signals generated using 21 cycle LFSR.

.

Implementation results

.

Atomic AES

.

71/73 # Architecture Type Library Area (GE) Latency Energy Max Throughput ENC DEC (in nJ) (Mbps) 1 8-bit Serial (EC11) ENC only UMC 180nm 2400 226

• 8.4
• 2

Grain of Sand (IEE-IS05) ENC/DEC Philips 350nm 3400 1032 1165 46.4/52.4 9.9/8.8 3 8-bit Serial (IEEE JSSC15) ENC/DEC 22nm 4037 336 216 3.9/2.5 432.0/671.0 4 32-bit Serial (AC01) ENC/DEC 110nm 5400 54 54

• 311.0

5 Atomic-AES ENC/DEC STM 90nm 2645 226 226 3.3 94.4 ENC/DEC STM 65nm 2976 226 226 2.2 57.8

Performance Comparison

.

Implementation results

.

Atomic AES

.

72/73

27.7 % Key Registers (734 GE) 27.7 % State Registers (732 GE) 12.2 % Mixcolumn (323 GE) 9.6 % S-box (253 GE) 17.2 % Muxes+Xors+And gates (455 GE) 5.6 % Control System (148 GE)

Area requirements of the individual components

.

Thank you for listening!! Any Questions??

.

73/73

. .

Thankyouforlistening!! AnyQuestions??