The Design of Low-area 32-bit AESEncryption/Decryption System on FPGA

Wattanit Hortrakool, AAI AlHarbiy, Ji Song, Xiao-Yang Ji, Yu-Ou Jiang

Abstract

– In many papers, FPGA design for theAdvanced Encryption Standard (AES) Rijndaelalgorithm mainly focused on the high throughput thatis up to twenty gigabit per second (Gbps). While thereare few application need high throughput, instead, thelow cost and low area are more suitable. This paperindicates a 32-bit core architecture which occupiesonly 288 slices in Spartan-3 device and provide thethroughput upto 195 Mbps.

Index Terms

— Advanced Encryption Standard(AES), Field Programmable Gate Array (FPGA),Encryption, decryption, and low area.

NTRODUCTION

This coursework objective is to design aencryption and decryption unit using the AdvancedEncryption Standard (AES) algorithm andimplement the system on Field Programmable GateArray(FPGA) board.National Institute of Standards andTechnology replacing propose AES of Rijndaelcipher algorithm on 2001. It is a new digitalencryption standard that replace Digital EncryptionStandard (DES). Moreover, it is a Symmetric KeyCryptosystem that means the encryption anddecryption use the same key ciphers. Thisalgorithm could use the 128, 192 and 256 bits asthe block ciphers size on 128-bit data block, and itis more flexible, security and effective in thecryptography [1].Recently, the low area consumption of AES areapplied in Wireless Local Area Networks (WLAN),Wireless Personal Area Networks (WPAN),Wireless Sensor Networks (WSN) or other fields[2]. Typically, AES algorithm with loop-unrolledand 128-bit data path is high-speed design, but theconsumption and area also remain high. Reducingthe data-path from 128-bit to 32-bit could decreasethe slices of area, thus the 32-bit data path isapplied in our design with 128-bit ciphers length.This paper is organized as follows. In section 2indicates an overview of AES. Section 3 presentsour the 32-bit low-area architecture. Theimplementation result and comparison with otherworks are shown in Section 4. Finally, Section 5makes a conclusion of this paper.II.

DVANCE

NCRYPTION

TANDARD

The Advance Encryption Standard is a round-based symmetric bloc cypher algorithm. AES usesa cipher key of length 128, 192, or 256 bits toencrypt or decrypt the data block of 128 bits [3].The number of iteration round Nr depends on thesize of key, which are 10, 12, 14 roundsrespectively. In each round between 1 to Nr-1,there are four basic operations which are SubByte,ShiftRow, MixColumn and AddRoundKey. Each128-bit data block called state. SubByte is anonlinear byte substitution, uses a substitution table(Sbox) to operate on each byte of the stateindependently. ShiftRow circularly shifts differentnumbers of bytes on the row of state. MixColumnmixes the bytes in the columns using themultiplication of the state with a polynomialmodulo. Finally, AddRoundKey is an XOR process,adding a round key from Key Expansion unit to thestate in each iteration. The encryption anddecryption flow diagrams are shown in Figure 1.

(a) Encryption (b) DecryptionFigure 1 128-bit AES Encryption/Decryption flow diagram.

Normal

textAddRoundKeySubByteShiftRowMixColumnAddRoundKeySubByteShiftRowAddRoundKeCypher

TextNormal

text

AddInvRoundKeyInvSubByte

InvShiftRow

InvMixColumInvSubByte

InvShiftRow

AddInvRoundKeNormal

textAddInvRoundKe

In thilow-areaimplemedevice (designHoweve192-bitarchitect

SubB

In thi(shown2048x9These BLUT forthe Bloceach rowwide, thconnectewhereasencryptiBRAMsoperatioThe useoccupiedcomputithroughppresente

Shift

The(shown i16-bit Sshift regibecauseshift regmeans tbecausecapableslice of III.

ROPOS

s section, oAES systemnted on theC3S50). Thsing 32-bit, this systemand 256-biture of this sys

yte and Inves

s design, thin Figure 3)ual-port Blolock RAMsSBox and Ink RAMs pro. The addresse first 8 bitd to the inthe 9

bitn/decryptioncan perforfor 4 bytes,of these Bby 4 sets of g 4 SBoxut especiallyin the syste

ow and Inve

design of n Figure 4) aift Registerssters are grouof 32-bit datister to handere are 32 rSRL16 requito put 2 regipartan 3 cont

RCHITEC

r designedis presentedsmallestis design isdatapath witcan be redey as well.tem is shown

SubByte

SubByte aare implemek RAMs(Rre treated asvSBox. Eachvides the Suof the Blocs address oput data fris used toLUT. AltoSubByte a

which is 1 cAM halp recombinationes, as welwhen there i.

seShiftRow

hiftRow ane implement(SRL16) andped as a bytepath- Therele the data f gisters presires only 1ter into a siains 2 LUTs)

FiguTURE

architecture. Our designilinx Spartahe round-bash 128-bit k sign easilyThe high-lein Figure 2.nd InvSubBnted using tMB16_S9_SROMs to st8-bit outputByte resultRAM is 11-each portom every rselect betweether, thesend InvSubBlumn, at a tiduce the slil logic usedl as increis no pipeliniInvShiftRd using a gromultiplexers. In this desiare 4 groupsor one colunted. HowevLUT, theregle slice (C.

e 2 High-level a

forisn3edy.forelteo9).reof forbitrewen2tee.esforsengwup

. 8n-of n,er,reBomsiesicthIn

InInInIn

rchitectureFigure 3 Im

The outputeration isultiplexers usmple calculficiently contgnal. As a remponent occe input datavShiftRow.

Figure 4

Byte

inByte

inE/D

put row 1put row 2put row 3put row 4O

plementation of

of ShiftRdone by cing 4-state Fition, eachrolled usingult, the Shiftupies only 1nd the outpu

esign of ShiftRo

Addr

BRAM

Addr

BRAM

Addr

utput row 1-4

SubByte/InvSub

w and Invontrolling thnite State Mamultiplexeronly singletRow and Invslices. Tablt data of Shi

w and InvShiftR

Byte

1Byte

2Byte

Byte

ShiftRowe 7-to-1chine. Bycan beit controlShiftRow1 showstRow and

utut

8xSRL1

xSRL1

Mix

Galoicolumn tcolumnparametecalculateand decr



Thea consta



Whileby a fixeThis eimplemeof {0b}implemewhere



HoweInvMixCresults iusing thdifferent

Figure

As shInvMixCthe loginumberInsteaapply aftbe seen,each of Moreovemean onl

(a)

Table 1 Result

olumn and In

Field multiransformatioare represer in GF (d by functionption. The f

 







ix column mt polynomial

03





, in the decrd polynomial

0





quation of innted owing t, {0d}, {09nt as follow.

 08



 

ver, thisolumn is verlarge circuimethod mmethod follo

5 Implementatio

own in Figolumn in thisand resourf slices occu

∗∗





of computer



in ord





has othem is strr, {05} coully one multipl

put

(b)Aft

f ShiftRow and I

verseMixCol

lication is e, and in the 3nted as pol



). Everythat is variarm of polyno













ultiplied modc(x).

01



0

ption the ind (x), shown

 









09

verse mix coo complicate} and {0e}

08



004



 0

method of y complex, it. In this dentioned abowing [4].

of mix columncolumn

re 5, thesystem are des in orderied. By usin

 01



 04



 0

ing



direr to get the inly two mulaightforwardd equal toication need

8 12

2 6

7 11

ShiftRow

(c)Af

InvShiftRow

sential for2-bit system tynomials wbyte couldle in encryptimials is

 



ulo





 1

1  02

erse multipliby

 0

lumn is direcmultiplicati. It could



 08



implementiefficient whisign, insteade, we apply

and inverse mix

ixColumn aesigned to shto optimize tthis relation



5

ctly,





cverse. As it ctiplications ato impleme{04}+{01} talculate.

123

15 3

InvShiftRow

ixheithbeonithedtlyonbengchof andreheananndnt.atscM

eecwrewstbutcwcDaRFiwdRfithopacM

emcac

kere

By using tstem is mmponent ocixColumn an

Key Expans

Generally thpansion. Thery block of n change keay will repesult in speeday is to comore all keys ifore key adilising themponent.In order to aay is used.mponent cecryption unid then storeAM(RAMB1gure 6.

Figu

As a new keill store in 3lay. When totWord, S-Brst column reat, the newe clock andocess is reped stored. Thlumn beingachine.

Control Un

The contrcryption/decultiplexers.me from thea masterntroller also

_inset

is method, tch reducedupies totald InvMixCol

ion

ere are twofirst way isencrypted davery fastt key schedreduction anlete whole k nto block raition. Thisresource,chieve low-aBy using thn be shart. We first prthem in a 56_36), the

re 6 Structure of

y come in, t-deep shift re fourth colx and thenading from tolumn creatadd with thted until allcontrol of Ralculate are

l of datyption is dohe coltrol siFinite Statecontroller.used to cont

FSMRRcon

the complexi. As a reof 56 slicesmn.ays to implprocess keyta. Using thiith no delayule every tiinefficient.ey expansionm, then readsecond wayespeciallyrea degsign, tis way, theed with Ecompute all12x9 single-iagram is

Key Expander

he first threegister aftermn flow in,dd with Rcohe shift regised will be dsecond col10 round keycon and thedone by a Fia path une by contrgnals for mMachine whioreover, thirol the round

delotWord

‐

Box

ty of thesult, thisfor bothment keyscheduleway one, but thise, whichThe otherfirst andthem justalso helpSubBytee secondSubBytecryption/ ound keyort block hown incolumnsne clock it will don and theter. Afterlayed bymn. Thisare donehosen fornite Stateing forlling theltiplexersch workss masterkey read

3deep

SRL16

key