Title: Final Report Hardware Implementation Issues for SBox of AES
1Final ReportHardware Implementation Issues for
S-Box of AES
Presenter Chao-Tsung Huang 2004/06/17
2Outline
- Basics of Hardware Design
- Review AES
- Direct Implementation of S-Box
- Implementation in Composite Field
- Published Comparisons
- Implementation Results Comments
3Software v.s. Hardware
- Software
- Fixed number of processing units (PU)
- Program Schedule the PU
- Overhead Control and Cache circuits
- Advantages Flexibility
- Hardware
- You can control the number of PU
- Design in 2-D Space-Time domain
- Advantages High performance
- Suitable for regular data flow
- Disadvantages inflexibility
4Itanium Chip Photo
Arithmetic Circuits
Control Circuits
Others Cache related!!!
Ref Intel ISSCC2003
5If You know the data flow exactly
- You can have more than 15 times computation power
using the same area - Hardware design is
- Parallel computing
- Regular data flow
6Hardware Evaluation
- Important factors
- Speed (working frequency, 1/Latency(T))
- Area (one PU (A))
- Utilization
- Throughput
- Freq (1/T) x (PU number) x Utilization
- Total Area AT x Throughput/Utilization
- General constraint
- Minimize area for given throughput
- Minimize AT, Maximize Utilization
7Agenda
- Basics of Hardware Design
- Review AES
- Direct Implementation of S-Box
- Implementation in Composite Field
- Published Comparisons
- Implementation Results Comments
8Encryption Process of AES
9Direct Implementation of S-Box
- Lookup table
- Can use ROM, PLA, or Logic gates
- 256-entry 8-bit table
10S-Box in Composite Field
- Original S-Box is in GF(28)
- Over
- Most complex computation Inversion
- Basic concept
- Isomorphism
- Perform inversion in composite field
- GF((24)2) CHES2001
- GF(((22)2)2) 1
1 A. Satoh, et al., A Compact Rijndael Hardware
Architecture With S-Box Optimization,
ASIACRYPT 2001, LNCS 2248, pp. 239-254
11Inverse in Composite Field
- Computing inverse in GF((2m)n) can be done as
operations over GF(2m) and computing inverse over
GF(2m)
- P GF(2mn)
- P-1(Pr)-1Pr-1, where r (2mn-1)/(2m-1)
- Pr GF(2m)
- (Pr)-1 can be computed in GF(2m)
- And Pr and Pr-1 can be computed in GF(2m)
- For AES (n2, m4)
- P-1(P17)-1P16
12Composite-field-based Inverter in 1
13Composite-field-based S-Box
14Isomorphism Map
- Isomorphism map function must exist
- Some search skills
- Map in 1
- Simple AND, XOR operations
- Can merge with the affine transform
15Comparisons in 1 (1/2)
- S-Box features (two-way NAND gate)
- 58 reduction compared to Look-up table
- 79 reduction if merge S-Box and S-Box-1
GF(((22)2)2)
GF((24)2)
16Comparisons in 1 (2/2)
17Comparisons in 2
Look-up Table
GF((24)2)
2 I. Verbauwhede, et al., Design and
Performance Testing of a 2.29-GB/s Rijdael
Processor, IEEE JSSC, vol. 38, no. 3, pp569-572,
Mar. 2003.
18My Implementation Result
- UMC 0.18um Cell Library
- 1gate13.3um2
19Specification Deduction
- For AES with key size 128bits
- 10 rounds of S-Box
- Each round consists of 16 S-Box operations
- 160 S-Box operations for each 128bits
- Using the best AT condition
- 1.5ns, 790gates
- 666.7M S-Box operations/sec
- can support 533.3Mbps
- For 10Gbps application
- 19 S-Box hardware modules are sufficient
- About 15010gates gt 0.2mm2
20Comments
- The idea of composite-field is interesting, but
it is useful unless - Low speed low cost application
- Encryption and Decryption coexist, and they dont
run simultaneously
21Summary
- The inversion requires the most computation in
S-Box - Inversion in composite field can reduce the table
size - Transformation overhead
- Long latency
- Which is better depends on the application and
specification