New Dimensions in AES Algorithm Implementation
Ruby Sharma
M.Tech. Student, USIT, Guru Gobind Singh Indraprastha University),study.ruby@gmail.com
Abstract: The Advanced Encryption Standard
(AES) is the next generation publicly available
encryption algorithm developed under the auspices
of the National Institute of Standards and
Technology (NIST). The AES algorithm has broad
applications, including smart cards and cellular
phones, WWW servers and automated teller
machines (ATMs), and digital video recorders.
Compared to software implementations, hardware
implementations of the AES algorithm provide
more physical security as well as higher speed. This
paper presents a survey report of the architecture
for AES Algorithm implementation. The paper
reviews the related work done in the concerned
field since AES algorithm was developed in 2000.
Keywords: AES (Advanced Encryption Standard),
Rijndael cipher, FPGA (Field Programmable Gate
Array), encryption, decryption.
1. Introduction
After the introduction of the Data Encryption
Standard (DES) in the 70s, and its various
incarnations it upgrade to Triple DES in 1999
(which happened as attacks on the original
cipher became increasingly viable as computing
resources grew). However, even Triple DES has
had its day and has, since 2002, been superseded
by the Advanced Encryption Standard (AES)
that we should all be using.
As a result of a joint effort between NIST,
industry, and the global cryptographic
community, AES was launched in early 1997.
Cognizant of the fact that the availability of
computer resources and computational power are
ever increasing while associated costs continue
to decrease, the overall goal of the effort was to
develop a strong and publicly available
encryption standard that could be used by
governments and businesses on a global basis for
the protection of sensitive information well into
the future. The development effort for AES was
initiated with a formal global call for candidate
algorithms. The call established the requirements
and criteria for consideration, and opened the
process for a worldwide forum. The minimum
requirements established for submission included
that the algorithm was to be publicly defined,
consist of a symmetric block cipher, and be
available royalty-free worldwide. The algorithm
1
needed to support block sizes of 128- bits and
variable key sizes of 128, 192, and 256-bits.
Lastly, the criteria also called for the capability
to further increase key lengths as needed in the
future and for the algorithm design to be easily
implemented in both hardware and software. A
group of 15 candidate algorithms were originally
accepted for evaluation in August 1998. These
submissions were illustrative of a global
representation of the cryptographic community.
As part of the specified process, these candidates
were then made available for public analysis and
comment. Two further rounds of public
comment and evaluation led to the selection of
the ‘Rijndael’ algorithm, submitted by Belgian
cryptographers Dr. Joan Daemen and Dr.
Vincent Rijmenin October 2000 [1].
The following sections are organized as: Section
2 presents the overview of AES algorithm.
Section 3 explains different possible approaches
for the implementation. Section 4 highlights the
advancement and new achievements in AES
algorithm implementation. Section 5 gives new
perspective from network security. Section 6
concludes this paper.
2. AES Algorithm
AES has a fixed block size of 128 bits. So all
data that is to be encrypted will be broken up
into 128 bit blocks. Padding is added if the data
is not a multiple of 128bits. For manipulation
purposes, 128 bits = 16 bytes (8 * 16 = 128)
which is then treated as a 4 x 4 byte matrix. This
is termed the ‘state’. This is important as the
subsequent algorithm will manipulate this ‘state’
to create the cipher text.
Figure1: The State
(source http//:en.wikipedia.org)
Encryption Key Size: This is the length in bits of
the key used to encrypt or decrypt the message.
In this standard the cipher key can only be 128,
192 or 256 bits long.
There are three important issues for an
encryption algorithm:
a) Only the encryption key is secret. The
algorithm can be made public but that does not
help an attacker decipher a message as the
encryption key is required to implement the
algorithm. This allows us to define a standard
which everybody can follow.
b) Confusion: This involves obscuring the
relationship between the plaintext and the cipher
text. So in its simplest form, it is substituting one
letter for a completely different one. The trick is
to make that relationship impenetrable.
c) Diffusion: This is the mixing and reordering
of the message. So operations here would be
shifting data or transposing columns, for
instance.
Rijndael’s Substitution Box (S-Box)
This is the most important function that performs
substitution which obscures the relationship
between the plaintext and the cipher text. It
introduces the second of the three requirements
above: confusion. The S-Box is created by using
a form of modulus mathematics which is called
Rijndael’s Galois field[1] and within this field;
arithmetic has special properties which ensure
values do not exceed 28 which keeps everything
in a byte, which is great for computers. The
choice of this field and other steps that are taken
to derive the S-Box are carefully chosen to resist
cryptanalysis and are definitely beyond the scope
of this article. In practice, S-box is generally
used in the form of a lookup table.
Tto process a number through the S-Box, each
number is divided into its most and least
significant nibble (4 bits). The least significant
nibble identifies the column to use in the above
table and the most significant nibble defines the
row.
Rcon Function
This function is used to confuse the derivations
of the encryption key that will be used in the
standard. Very simplistically, this function is
putting 2 to the power of 254 to 509 but in the
Rijndael’s Galois field which uses its form of
mathematics to keep values within a byte. The
result is another look up table. This is used to
create a number of encryption keys (or round
keys). Each key size (128, 192 and 256 bits) has
2
a different number of ‘rounds’. Each round
requires a different key to provide the required
diffusion and hence a different number of round
keys need to be derived from the encryption key.
For AES128, the first ‘n’ bytes are the original
key itself. Then the last column of the key is
taken and round shifted (as shown in figure 3,
above). The result is then pushed through the s-
box to provide a completely new column: The
most significant byte of the result is then XOR-
ed with a value from the Rcon table. For the first
round, the index into the Rcon table will be 1,
and then is incremented for each new round. To
create the first column of the next round key, the
result of this XOR is XOR-ed with the first
column of the previous round key. In the case of
the first round, this is: The next three columns of
the new ‘key’ are created by taking each new
column created and XOR-ing it with the four
byte block 16 bytes before the new expansion
key. This is repeated until there are enough keys
for each round. For AES128, there are 10 rounds
and so 10 extra keys are required.
There are three main stages in the AES standard:
The initial round (this is really just initialisation)
is straightforward: take the plaintext and XOR it
with the encryption key.
The intermediate round has four steps:
Sub-Bytes – take each byte and using
Rijndael’sS-Box algorithm map that byte to the
new value.
ShiftRows – Rotate the state in a prescribed
fashion. For AES128, each row is shifted left by
the value of the row where the top row is row
zero. So the top row stays as it is, the first row is
shift 1 to the left, the second row is shifted two
to the left and the third row three to the left.
MixColumns – In this step the four bytes of each
column of the state are used as input. This step
takes four bytes and multiplies them in
Rijndael’s Galois field by a fixed polynomial.
AddRoundKey – This is the same as the initial
round above, but using one of the keys derived
from the Rijndael’s key schedule. So, the result
from sStep 3, MixColumns, is XOR-ed with the
next in the sequence of keys generated by the
Rijndael’s Key Schedule so each round is XOR-
ed with a different key derived from the original.
The final round: There are more attacks being
devised against AES and as computing capacity
improves, developments of these attacks may
become practicable. This round carries out three
steps: SubBytes, ShiftRows and AddRoundKey
The reason why the final round does not have a
‘mixcolumns’ step is because that step is used to
feed into the next round. Since this is the final
step and there is no next round, the final round
excludes that step
. in “Two Methods of Rijndael Implementation in
3 Possible approaches for implementation
There are three architectural optimization
approaches can be employed to speed up the
hardware implementations: pipelining, sub
pipelining, and loop-unrolling. Among these
approaches, the sub pipelined architecture can
achieve maximum speedup and optimum speed–
area ratio in non-feedback modes. In order to
explore the advantage of sub pipelining further,
each round unit needs to be divided into more
sub stages with equal delay.
However, the SubBytes and the InvSubBytes in
the AES algorithm are traditionally implemented
by look-up tables (LUT) [2]–[6]. In LUT-based
approaches, it can be observed that the
unbreakable delay of LUTs is longer than the
total delay of the rest of the transformations in
each round unit. This feature prohibits each
round unit from being divided into more than
two sub stages to achieve any further speedup.
Non-LUT-based approaches, which employ
combinational logic only, can be used to avoid
the unbreakable delay of LUTs. However, these
approaches involve inversions in Galois Field ,
which may have high hardware complexities.
Composite field arithmetic can be employed,
such that the field elements of are mapped to
elements in some isomorphic composite fields,
in which the field operations can be implemented
by lower cost subfield operations. Composite
field implementations are exploited in [7], [8].
However, it is not efficient to implement all the
transformations in the AES algorithm in
composite fields. Meanwhile, the composite field
arithmetic may not be the optimum approach
when the order of the field involved is small. In
addition, none of the prior composite field
arithmetic approaches has addressed applying
sub pipelining to speed up the AES algorithm in
non-feedback modes.
4 Related work
3
Since NIST selected the Rijndael as the AES
algorithm in October 2000, a lots of work has
been done in improving the performance of this
algorithm in terms of various parameters like
cost, area, efficiency, power consumption and
throughput etc. The summarized report of the
previous work is as follow:
In 2001, Viktor Fischer and Miloˇs Drutarovsk´y
Reconfigurable Hardware”[3] analyzed two
mapping methods optimized for FPD with large
embedded memory blocks (EMB), e.g.
Embedded Array Block (EAB) in FLEX and
ACEX devices or Embedded System Block
(ESB) in APEX devices. Two types of cipher
core configurations in feedback mode based on
basic iterative architecture without loop unrolling
are assumed: a fast configuration and an
economic configuration. For both configurations
it is assumed that encryption and/or decryption
The Altera ACEX FPD have been found to be an
excellent solution for very fast Rijndael cipher
implementation in the reconfigurable hardware.
On the other side, low-cost ACEX FPD family is
suitable for cost-sensitive encryption
applications. Round keys are pre computed and
stored in the EMBs.
In the same year, Akashi Satoh, Sumio Morioka,
Kohji Takano, and Seiji Munetoh, IBM
Research, TokyoResearch Laboratory, IBM
Japan Ltd described compact and high-speed
hardware architectures and logic optimization
methods for the AES algorithm Rijndael [7] . By
introducing a new composite field, the S-Box
structure was also optimized. An extremely
small size of 5.4 Kgates was obtained for a 128-
bit key Rijndael circuit using a 0.11-µmCMOS
standard cell library. It required only 0.052 mm2
of area to support both encryption and
decryption with 311 Mbps throughput.
In 2004, Xinmiao Zhang, Student Member,
IEEE, and Keshab K. Parhi, Fellow, IEEE
presented a novel high-speed architectures for
the hardware implementation of the Advanced
Encryption Standard (AES) algorithm [9].
Unlike previous works which rely on look-up
tables to implement the SubBytes and
InvSubBytes transformations of the AES
algorithm, the proposed design employs
combinational logic only. As a direct
consequence, the unbreakable delay incurred by
look-up tables in the conventional approaches
was eliminated, and the advantage of
subpipelining could be further explored.
Furthermore, composite field arithmetic was
employed to reduce the area requirements.
In 2006, a designed was proposed, called
diversified AES (DAES) [10], has the variations
of four parameters: the field irreducible
polynomial, the affine transformation in the
SubBytes, the offsets in the ShiftRows, and the
polynomial in the MixColumns. The advantage
of such variations in the AES system is that they
increase the strength regarding internal or
external attacks. We also use straightforward
architecture – look-up tables – for encryption
and decryption to lead this system simple and
high-speed using field programmable gate arrays
(FPGAs).
In 2008, an efficient approach to reducing the
AES power consumption was given consisting
reduction in the S-Boxes power consumption
[11]. This fast and more compact S-Boxes
architecture of lower power: an improved and
full-balanced DSE architecture achieved low
power consumption of 68 pW at 10 MHz using
0.25 pm 1.8V UMC CMOS technology.
Compared with the original DSE S-Boxes, it
further reduced the delay, gate count and power
consumption by 8%, Also, in this year only, Jose
´ M. Granado, MiguelA.Vega-Rodrı´guez,
JuanM.Sa´nchezPe´rez, JuanA.Go´mezPulido,
Department Technologies of Computers and
Communications, University of Extremadura,
Spain presented their in implementing two
different cryptographic algorithms in an FPGA:
IDEA and AES by means of mixing Handel-C
and VHDL and using partial and dynamic
reconfiguration[12] in order to reach a very high
performance. In both cases, they have obtained
very satisfactory results, achieving 27.948 Gb/s
in the IDEA algorithm and 24.922Gb/s in the
AES algorithm.
In 2009, a new methodology to implement AES
algorithm using partial and dynamic
reconfiguration was given[13]. In the same year,
a 8-bit systolic AES architecture for moderate
data rate applications was presented [14]. This
was made possible by mapping a word bit wide
algorithm to byte vector serial architecture. The
technique divides the input word to several bytes
and then traces each byte for extracting
architectural transformation This year an another
work presented a custom hardware architecture
for the AES-CCM protocol (AESCCMP) which
4
is the basis for the security architecture of the
IEEE 802.11i standard [15]. AESCCMP is based
on the AES-CCM algorithm that performs the
Advanced Encryption Standard (AES) in CTR
with CBC-MAC mode (CCM mode), plus
specialized data formatting modules, providing
different security services through iterative and
complex operations. A comparison against
similar works shows significant improvements in
terms of both throughput and efficiency.
5. New Perspective from Network Security
Already experts are starting to envisage a threat
to AES, — quantum computing. A quantum
computer could efficiently factor large numbers
at a amazing rate. Quantum computers could
perform many calculations at once, instead of
doing one after another like regular computers.
According to Brassard “ If a quantum computer
is ever built, much of the conventional
cryptography will fall apart”. Ho Kwong Lo, the
senior vice president of Magiq Technologies, a
quantum computing and crytography company,
said that increasing key length does not really
reduce the risk of quantum attacks. Speaking at
the RSA conference, earlier this year, he said
that new quantum algorithms will be invented in
the future and the topic in question is too
premature to fully examine the security threat of
quantum attacks. Today, though no one has been
able to bulid a quantum computer that conducts
transactions faster than a normal.
6. Conclusion
There are more attacks being devised against
AES and as computing capacity improves,
developments of these attacks may become
practicable. However, AES can always up the
number of rounds or move to creating dynamic
S-boxes to improve the resistance of the
standard. The main attack is usually against
implementations of the standard (where someone
has programmed the standard and made a
mistake that can be exploited). It is
recommended that properly validated and
supported code is used – of which there are a
number of options – to protect against this sort of
attack.
References
[1] Advanced Encryption Standard (AES), Nov.
26, 2001.
[2] A. J. Elbirt, W. Yip, B. Chetwynd, and C.
Paar. An FPGA implementation and
performance evaluation of the AES block cipher
candidate algorithm finalist. presented at Proc.
3rd AES Conf. (AES3). [Online].
Available:http://csrc.nist.gov/encryption/aes/rou
nd2/conf3/aes3papers.html
[3] V. Fischer and M. Drutarovsky, “Two
Methods Of Rijndael Implementation In
Reconfigurable Hardware,” in Proc. CHES 2001,
Paris, France,May 2001, pp. 77–92.
[4] K. Gaj and P. Chodowiec. “Comparison Of
The Hardware Performance Of The AES
Candidates Using Reconfigurable Hardware”.
presented at Proc. 3rd AES Conf. (AES3).
[Online] Available: http://csrc.nist.gov
/encryption/aes/round2/conf3/aes3papers.html
[5] H. Kuo and I. Verbauwhede, “Architectural
optimization for a 1.82 Gbits/sec VLSI
implementation of the AES Rijndael algorithm,”
in Proc. CHES 2001, Paris, France, May 2001,
pp. 51–64.
[6] M. McLoone and J. V. McCanny, “Rijndael
FPGA implementation utilizing look-up tables,”
in IEEEWorkshop on Signal Processing
Systems, Sept. 2001, pp. 349–360.
[7] A. Satoh, S. Morioka, K. Takano, and S.
Munetoh, “A compact Rijndael hardware
architecture with S-Box optimization,” in Proc.
ASIACRYPT 2001, Gold Coast, Australia, Dec.
2000, pp. 239–254.
[8] A. Rudra, P. K. Dubey, C. S. Jutla, V.
Kumar, J. R. Rao, and P. Rohatgi, “Efficient
implementation of Rijndael encryption with
composite field arithmetic,” in Proc. CHES
2001, Paris, France, May 2001, pp. 171–184.
[9] Xinmiao Zhang and Keshab K. Parhi,”High-
Speed VLSI Architectures for the AES
Algorithm” published in IEEE Transactions On
Very Large Scale Integration (VLSI) Systems,
VOL. 12, NO. 9, September 2004
[10] Ming-Haw Jing, Zih-Heng Chen,etal.,
“Reconfigurable system for high-speed and
diversified AES using FPGA” in
Microprocessors and Microsystems 31 (2007)
94–102
[11] XING Ji-peng, ZOU Xue-cheng, GUO Xu,
“Ultra-low power S-Boxes architecture for AES”
in the journal of China Universities of Posts and
Telecommunications Volume 15, Issue 1, March
2008
[12] J.M. Granado etal.. “IDEA andAES,Two
Cryptographic Algorithms Implemented Using
PartialAnd Dynamic Reconfiguration” in
Microelectronics Journal 40(2009)1032–1040
[13] J.M. Granado-Criado etal. “A New
Methodology To Implement The AES Algorithm
Using Partial AndDynamic Reconfiguration” in
INTEGRATION, the VLSI journal43(2010)72–
80
[14] S.M. Farhan et al. “An 8-bit systolic AES
architecture for moderate data rate applications”
in Microprocessors and Microsystems 33 (2009)
221–231
[15] I. Algredo-Badillo et al. “Efficient
hardware architecture for the AES-CCM
protocol of the IEEE 802.11i standard” in
Computers and Electrical Engineering xxx
(2010) xxx–xxx