STUDY AND IMPLEMENTATION OF HARDWARE SECURITY FOR SINGLE

SYSTEM

A Project

Presented to the faculty of the Department of Electrical and Electronic Engineering

California State University, Sacramento

Submitted in partial satisfaction of

the requirements for the degree of

MASTER OF SCIENCE

in

Electrical and Electronic Engineering

by

Parth Rajnikant Gandhi

Muhammad Adnan Sarwar

FALL
2017
 STUDY AND IMPLEMENTATION OF HARDWARE SECURITY FOR SINGLE

SYSTEM

A Project

by

Parth Rajnikant Gandhi

Muhammad Adnan Sarwar

Approved by:

__________________________________, Committee Chair

Dr. Suresh Vadhva

__________________________________, Second Reader

Prof. Russ Tatro

____________________________
Date

ii
Student: Parth Rajnikant Gandhi
Muhammad Adnan Sarwar

I certify that these students have met the requirements for format contained in the

University format manual, and that this project is suitable for shelving in the Library and

credit is to be awarded for the project.

__________________________, Graduate Coordinator ___________________

Dr. Preetham Kumar Date

Department of Electrical and Electronic Engineering

iii
 Abstract

of

STUDY AND IMPLEMENTATION OF HARDWARE SECURITY FOR SINGLE

SYSTEM

by

Parth Rajnikant Gandhi

Muhammad Adnan Sarwar

Today we live in the world which is growing in terms of technology. This

technological growth of the world depends on communication. So as a matter of fact, the

field of communication is growing by leaps and bounds. Due to technological

advancement in communication one is able to handle various affairs such as bank

transaction, business deals and even meetings in different country or continent by sitting

in the comforts of his office elsewhere. As the growth of the communication increases,

the need for securing the data comes into picture

The data is always stored in a hardware no matter what application is under use.

These hardware can be manipulate or tempered physically by analyzing the hardware

characteristics like power, electromagnetic emission, time delay so on and so forth or

logically by running malicious code on the system .

iv
 In this project, we have demonstrated the method for securing the hardware using

cryptography. The algorithm used to implement cryptography was Advance Encryption

Standard (AES). AES , also known as Rijndael , was established by the National Institute

of Standards and Technology (NIST) – USA in 2001 for protecting electronic data. AES

is used to encrypt or decrypt a block size of 128 bits using a symmetric key of 128 or 192

or 256 bit key.

The hardware implementation of the Advance Encryption Standard (AES)

algorithm was modeled using Verilog hardware description language. Further, the design

was validated and synthesized. The testbench was developed for verifying the design

using Verilog HDL and Code Coverage was used to check whether the test cases

implemented were able to test the RTL thoroughly or not. Synopsys VCS and Design

Vision tool were used for the verification and synthesis of the RTL respectively.

Finally, in order to validate the design of Advance Encryption Standard algorithm

it was implemented in C program. We have used the same test cases and ran down the C

program developed to check/validate the design implementation of the algorithm.

_______________________, Committee Chair

Dr. Suresh Vadhva

_______________________
Date

v
 ACKNOWLEDGEMENTS

The crucial and most important thing for a project to conclude successfully is

vision and support. We would like to thank Dr. Suresh Vadhva and Prof. Russ Tatro for

defining the project and providing us the guidance to conclude the project successfully.

There guidance and supervision throughout the project have been magnificent. We would

also like to thank Dr. Suresh Vadhva for supporting us unconventionally when we were

struggling during the initial phase of the project. We would also like to thank Dr. Suresh

Vadhva and Prof. Russ Tatro for reviewing our work and proofreading the report.

We would also like to extend our gratitude to Dr. Preetham Kumar, graduate

coordinator of the Electrical and Electronic Engineering Department, for his cooperation,

and support. Further, we are thankful to all faculty members of Electrical and Electronic

Engineering Department for nurturing our skills set and helping us in accomplishing our

requirements for graduation at California State University, Sacramento.

Finally, we would like to thank our parents who were by our side us in all phases

of life whether it was good or bad. They supported, motivated and showed faith in us

when we were struggling and having the tough time.

vi
 TABLE OF CONTENTS
Page

Acknowledgements……………………………………………………………….………vi

List of Tables……………………………………………………………………..............xi

List of Figures…………………………………………………………………………....xii

Chapter

1. INTRODUCTION ......................................................................................................... 1

2. HARDWARE SECURITY : OVERVIEW AND CHALLENGES............................... 4

2.1 What is Computer Security? ............................................................................. 4

2.2 Types Security Attacks ..................................................................................... 4

2.2.1 Physical Attacks ................................................................................. 5

2.2.2 Logical Attacks .................................................................................. 5

2.2.3 Network Attack .................................................................................. 5

2.3 What is Software Security? ............................................................................... 6

vii
 2.4 What is Hardware Security? ............................................................................. 6

2.5 Security Goals ................................................................................................... 7

2.6 Security challenges in embedded systems ........................................................ 8

2.6.1 Processing performance ..................................................................... 9

2.6.2 Power consumption optimization .................................................... 10

2.6.3 Tamper resistance ............................................................................ 11

3. DESIGN AND IMPLEMENTATION ........................................................................ 13

3.1 Overview ......................................................................................................... 13

3.2 Introduction ................................................................................................... 13

3.3 Advance Encryption Standard (AES) ............................................................. 14

3.3.1 Substitute Bytes ............................................................................... 20

3.3.2 Shift Rows........................................................................................ 34

3.3.3 Mix Column .................................................................................... 37

3.3.4 Add Round Key ............................................................................... 44

3.3.5 Key Expansion ................................................................................. 47

viii
 3.3.6 Top Design Module – Synchronization ........................................... 55

4. VERIFICATION AND VALIDATION ...................................................................... 65

4.1 Overview ......................................................................................................... 65

4.2 Testbench ........................................................................................................ 65

4.3 Validation ........................................................................................................ 72

4.4 Code Coverage ................................................................................................ 84

5. SYNTHESIS ................................................................................................................ 86

5.1 Overview ......................................................................................................... 86

5.2 Synthesis Methodology................................................................................... 87

5.3 Synthesis Script And Reports ......................................................................... 92

5.3.1 Synthesis Script : .synopsys_dc.setup .............................................. 92

5.3.2 Synthesis Timing Report.................................................................. 93

5.3.3 Synthesis Constraint Report ............................................................. 94

5.3.4 Synthesis Area Report...................................................................... 95

5.3.5 Synthesis Attribute Report ............................................................... 96

ix
6. CONCLUSION ............................................................................................................ 97

References ....................................................................................................................... 100

x
 LIST OF TABLES

Table Page

Table 1 : State Array ......................................................................................................... 16

Table 2 : S- Box Hex for encryption [10][13] .................................................................. 22

Table 3 : S- Box Hex for decryption [10][13] .................................................................. 23

Table 4: Round constant values [2] .................................................................................. 50

xi
 LIST OF FIGURES

Figures Page

Figure 1 : Flow Chart of Security Challenges and approach [5] ........................................ 9

Figure 2 : Transformation of State Array into Word ........................................................ 16

Figure 3 : Translation of Input to Output State Array ..................................................... 17

Figure 4 : Structure of AES – 128 bit encryption key [12][13] ........................................ 19

Figure 5 : Block level representation of byte substitution [11] ........................................ 20

Figure 6 : : Bit Scrambling of byte substitution [11][12] ................................................. 21

Figure 7 : Shift Row transformation for encryption [11].................................................. 34

Figure 8 : Shift Row transformation for decryption ......................................................... 35

Figure 9 : Mix Column operation on state array ............................................................... 38

Figure 10 : Add Round Key operation on state array ....................................................... 45

Figure 11 : Key Expansion operation on the Original Cipher key ................................... 47

Figure 12 : Top Block for Cryptography .......................................................................... 55

Figure 13 : Internal View of Cryptography Unit .............................................................. 56

Figure 14 : Verification – Block Diagram ........................................................................ 66

Figure 15 : Simulation Results – Showing write and read of 128 bit data ....................... 70

Figure 16 : Simulation Results – Ending with zero error ................................................. 71

Figure 17 : Simulation: C program model ........................................................................ 82

Figure 18 : Simulation – End for C - Model ..................................................................... 83

xii
Figure 19 : Code Coverage Report ................................................................................... 85

Figure 20 : Synthesis Process - Graphical View [15] ....................................................... 87

xiii
 1

Chapter 1

Introduction

Today, we are living in the computer era where everything is getting digitized. Fund

transfer, trading of goods, information exchange so on and so forth, everything has been

digitalized. All these information are exchange through the network and stored on the

server or any other relevant storage device. These hardware/database may contain tons of

sensitive information related right from any firm’s confidential documents (such as trade

secrets) to personal documents of any individual (such as SSN). Considering the nature of

the information stored on the hardware, the need to secure them was developed.

Cryptography is the ancient technique which was used to secure the information

from going into hands of an unauthorized person. As the time progressed, the various

method to implement cryptography on any piece of information was developed.

Cryptographic algorithms can be implemented at software level as well as hardware

level. Security provided by software is as strong as the level of security of the OS

(operating system) of that particular device. The security provided by the software can be

easily compromised if the security of the OS is breached. Further, the performance

degradation is a visible problem with this kind of encryption. On the other side, hardware

encryption is tied to a specific device so the encryption is always on. Further, it is

independent of OS so it is more secure than software-based encryption.

 2

There are numerous techniques available for encrypting the data to protect it from

intruders such as RC4, DES, 3DES, and AES which are the few names among them.

Thus, for the demonstration of encryption in this project, we proposed to use Advance

Encryption Standard (AES) algorithm. AES is a block cipher which provides an

exceptional performance. Thus, it is widely accept by industry for encryption of drives

and other hardware device. The hardware implementation of AES algorithm involves

modeling the algorithm in Verilog HDL (hardware description language), validating and

synthesizing it.

The hardware model is completely verified using a test bench in Verilog. The

validation process continues until the model is verified for an acceptable Code Coverage.

The hardware model is also validated against an C code of the algorithm. The verified

model is later synthesized to get an estimate of the number of gates, area and timing of

the hardware model.

The rest of the report is organized into six Chapters. Chapter 2 covers an overview

of hardware security and addresses different types of issues related to it in detail.

 3

Chapter 3 covers a brief introduction of the AES encryption algorithm. In this

chapter, different steps which are involved in the AES encryption process are introduced.

It also describes the design and modeling of the hardware implementation of the AES 128

bit encryption algorithm by explaining the modules used in the design hierarchy and their

interconnections.

Chapter 4 covers the verification of the RTL for the AES algorithm. In this chapter,

a test bench is developed which fully validates the design. The test bench fetches input

test vectors from the text file and validates its functionality. Further, Code Coverage is

ran through the test bench to ensure every block of design is checked by the test vectors.

This chapter also covers the software implementation of the AES 128 bit algorithm in

“C” language which is used to validate the design.

Chapter 5 covers the synthesis of the hardware model. In this chapter, the synthesis

result, including the timing and area of the netlist comes are described which is obtained

through the Synopsys Design Vision tool.

Finally, in Chapter 6, the entire project work is summarized and potential

improvements for future works in this project are included.

 4

Chapter 2

Hardware Security : Overview and Challenges

2.1 What is Computer Security?

Computer security is also termed as cyber security or information technology (IT)

security. It provides the protection to computer system against theft, as well as protecting

damages to software, hardware or information on these devices. Furthermore it secures

against misdirection or disruption of the services they provide.

Physical access to hardware is controlled by cyber security as well as

providing protection against damages that could happen via network accessing , data or

code injection. Information technology (IT) security is susceptible to being tricked into a

deviation by safe procedures because of malpractice of operators whether intentional or

by chance.

2.2 Types Security Attacks

Three attacks are primarily associated with security.

1. Physical attacks (e.g. systems hardware)

2. Logical attacks (e.g. software)

3. Network attacks (e.g. communication interface)

 5

2.2.1 Physical Attacks

The purpose of physical attack is to obtain sensitive and important information from

the hardware structure during the implementation or execution of hardware operations

related to security by measures in hardware characteristics like time delay,

electromagnetic emission and power direct or indirect way. [4]

2.2.2 Logical Attacks

In logical attacks, attackers can access unauthorized privileges and theft. The data

perspective of the software structure of an operating system (OS) but not limited to the

operating system. These logical attacks are established with the help of malicious codes

such as worms, viruses and Trojans; which provide illegal privileges to the special types

of IOS i.e. rights of root access and hijacking. [4]

2.2.3 Network Attack

By targeting an enterprise the cyberspace attack disable, disqualify, demolish or

maliciously control, a computation environment which destroys the data integrity by

hacking controlled information. [6]

 6

2.3 What is Software Security?

Software-based security solutions encode the data to secure it from thievery.

However, data could be corrupt or unrecoverable and makes the system unusable through

a malicious program or a hacker. The read and write access to data can be secure through

hardware-based security solutions therefore it provides very strong defense against

annealing and unjustified access. [2]

2.4 What is Hardware Security?

Hardware-based security or assisted computer security provides a substitute to

software-only computer security. Security tokens may be higher protected for the

physical access needed in order to get conceded. Access is authorized only when the

token is joined and inserted by the accurate recognition number. Anyone who has a

physical approach can use dongles. Advanced technologies in hardware based security

resolve this problem by providing full evidence security for data. [2]

A fact is conceived through an excellent or ideal software and hardware security

solution, which could be accomplished, except by a weak fundamental security system

design. The hardware layer of embedded systems disclosed are directly to physical
 7

attacks in case of a secured software layer exists there. By using physical ways these

attacks physically handle or manage hardware or software functioning .One approach to

the formation of these physical attacks is very hard to apply, particularly tamper-

protected hardware security modules (HSM). Complex or Decisive information and

operations are prevented by these hardware security modules. [1]

2.5 Security Goals

Embedded system’s security services are same as other computer systems. Their aim

is to prevent acute data and resources from various types of attacks and threats. In

embedded systems there are four key security objectives that are to be contained, they are

as follows [5]:

• Availability: make sure that the coveted system’s services are to be availed at any time

they are required, in despite of the existence of attacks. In embedded system’s presence

of mechanism look for contend defense of service and energy famishment attacks, as

well as various meddling attacks that will be elaborated in addition [5].

•Confidentiality: it ensures that transmitted data’s privacy is retained within

communicating parties. i.e., not anyone excepting the legal parties should know the

cognitive contents or messages being interchanged [5].

 8

• Authentication: exhibits the process of checking an identity lay claim through a

system entity.

• Data Integrity: secures data in opposition to illegitimate changes, including both

voluntary modification or demolition and happening unexpectedly alterations or

damages, by assuring that these modifications to data can be found out. [5].

2.6 Security challenges in embedded systems

In embedded system the sensitive application fields usually need them to give

complex or decisive functions that could be incapacitated or damaged through malicious

entities. Although supportive security services are directed to different design challenges

and unique characteristics of embedded systems and its particular application requisites,

these challenges or competitions create an impracticable utilization of schematic

projected solution and affect security conditions from a reconsideration within an

established design issue. These factors provide direction to the design of security and

protocols therefor these factors are most important. [5]

 9

Figure 1 : Flow Chart of Security Challenges and approach [5]

2.6.1 Processing performance

The restricted processing and memory space of embedded systems conceive are

impossible for their architectonics to hold on with the constantly growing complications

of security mechanisms and expanding data rates provided by the latest communication

networks. This problem is too observed in systems that required greater data rates to

process network routers, or low-end systems outfitted with deficient processing and

memory means.

Therefore, the objective is to reduce the processing efficiency gap through the

progression of valuable security structures that appropriately connect between software

and hardware by co-design approaches. Furthermore, a rational alternative of the most

appropriate basic security primes and cryptographic algorithms can help to allow
 10

appropriate security processing functioning for the resource-constrained embedded

system. [5]

2.6.2 Power consumption optimization

Power expenses accomplishments are the biggest challenging design aspects that

block the progression of security design projects within battery-powered embedded

systems. This aspect needs to be examined autonomous from further hardware constraints

implicates because it can directly influence the whole system’s life span. Although

formal security mechanisms lead to be conserved in their security assurance, it normally

includes a wide range of messages over and calculations that encourage greater utilization

of energy. This is foremost because of several elements: first, the consumption of

cryptographic primitive indicates extra complicated calculations for the embedded

system’s processors and throughout the major system and data encryption or decryption

stages. The usage of energy can be affected by the size expansion of the transmitted

greater volume of data after its encryption. At the end, the usage of preventing

communication must indicate the transfer of data within various periods, at this site all

of them needed further transmissions of data for verification or confirmation and major

establishment phases; this reality will greatly help in depleting the capacity of battery .

To face that objection, energy-effectual security protocol work out or execution is

needed. This aim could be attained through several methods. The visible one contains
 11

forming the execution of operating cryptographic primitives highly effective through a

composite of latest software and hardware development methods. However, this

resolution is appropriate by nature to reduce energy dispersal of security mechanisms,

this is not apparent enough to become aware forever, and generally includes expenses in

the mode of enhancing the silicon area or greater complicated software. The second

substitute is adaptation of current available security solutions and compose energy-

proficient by conceding them to change their works and to select the perfect composite of

their essential building blocks, and rely upon the operator or working environment. This

act of adapting must be directed through numerous principles that become aware of the

perfect trade-off among the authorized security process and the accessible means of

energy. [5]

2.6.3 Tamper resistance

Through capitalized distinguished accomplishment and imperfections or commonly

through noticing properties, Security protocols, and cryptographic algorithms, it could be

disordered by exploiting detected implementation flaws, or simply by observing

characteristics relevant to their accomplishments such as timing conduct, or energy

consuming. These latest or fresh attack flows have been significantly prompted through

the nearby physical combination of embedded systems as well as their environment that

creates them, more susceptive to meddling. Furthermore, the usage of frail protected
 12

wireless communication medium through a high polarity of embedded devices and latest

communication models utilized in embedded networks that familiarizes more attacks. [5]
 13

Chapter 3

Design and Implementation

3.1 Overview

This chapter is a summary of the Advance Encryption Standard issued by the

National Institute of Standards and Technology in 2001 [7]. Throughout this chapter, the

entire working and implementation of the sub-blocks involved in Advanced Encryption

Standard (AES) is explained in depth. Further, the hardware implementation of AES -128

bits using Verilog is discussed. The RTL design modeled in Verilog HDL is developed

using Synopsys VCS tool.

3.2 Introduction

Cryptography is the technique to protect the original data by transforming it into

encoded text which are known as cipher text. For example PARTH (original data) after

implementation of some encryption transforms into ZWALM (encoded/cipher text).

Cryptography is broadly categories into Symmetric Key and Asymmetric Key

cryptography. Symmetric Key cryptography is the one in which there is only one key for

encryption and decryption to get back the original data. This symmetric key cryptography

is further classified as block cipher and stream cipher. Block Cipher is the one in which

the encryption key is implemented on the block of data. AES is one of the block cipher
 14

which uses the symmetric key cryptography. Stream Cipher is the one in which the

encryption key is implemented bit by bit on the data. Asymmetric key cryptography is the

one in which keys for encryption and decryption of the data is different. This means it

uses one key for encryption and another key for decryption. [8]

3.3 Advance Encryption Standard (AES)

The Advanced Encryption Standard (AES) which is also known as Rijndael is the

new encryption algorithm established by the National Institute of Standards and

Technology (NIST), USA in 2001. AES was developed by two Belgian cryptographers

namely Joan Daemen and Vincent Rijmen. Rijndael consist of multiple ciphers with

different key and block sizes. Thus AES is a subset of Rijndael consisting of specific data

and key size. The need for AES was developed because DES (Data Encryption Standard)

encryption algorithm was cracked in 1997 and hence was not considered as safe

anymore.[7] [10]

AES operates on the block size of 128 bits and allows three different key lengths

such as 128,192 and 256 bits. For this project we have used key length of 128 bits. AES

is a iterative block algorithm where the encryption is completed by repeating the process

in various rounds. The number of rounds required to complete the encryption the process

depends on the size of key. The key length of 128 bits requires 10 rounds , 192 bits key
 15

will needs 12 rounds and 256 bit key will need 14 rounds. Other than the last round of

encryption, all the rounds will be performed identically.[12]

In AES, the data block and key both are represented in the form of Matrix. These

matrixes are developed based on the following rules:

a. Each element of matrix element is represented as 1 byte (i.e.8-bit) integer

b. The number of rows of matrixes (Nb) remain constant irrespective to the data/key

size which is equal to 4

c. The number of columns for the data matrix (Ns) is dependent on block size which

is 128 bits for AES and hence remains constant which is equal to 4.

d. The number of columns for the key matrix (Nk) is dependent on key sizes which

is equal to key size divided by 32.[10]

In this project we are using block and key size of 128 bits. Thus, the entire data set

can be arranged in the form of 4x4 matrix [Refer Table 1]. Each element of this matrix is

of 1 byte. This matrix is called as state array. In this state array first four bytes of data

will be store in first column, next four bytes are stored in second column and so on and so

forth.
 16

B0 B4 B8 B12

B1 B5 B9 B13

B2 B6 B10 B14

B3 B7 B11 B15

Table 1 : State Array

In AES, each column of the state array is called word .Each word consist of four

bytes i.e. 32 bits of the state array.

Figure 2 : Transformation of State Array into Word

At every round of the encryption various processes takes place on input state

array which results on the output state array.

 17

Figure 3 : Translation of Input to Output State Array

Each round consists four stages, including the encryption key itself.

For encryption, four stages are in the following order:

1. Substitute bytes

2. Shift rows

3. Mix columns

4. Add round key

In encryption, last step of each round consist of XOR operation between four words from

the key schedule and the output state array obtain after the third step i.e. Mix

Column.[12]
 18

For decryption, four stages occur in the following order:

1. Inverse shift rows

2. Inverse substitute bytes

3. Add round key

4. Inverse mix columns

In decryption, the third step of each round consists of XOR operation between four words

from the key schedule and the output state array obtain after the second step i.e. Inverse

substitution bytes.[12]

In encryption, the last round does not consist of the Mix columns step. While in

decryption, the last round does not consist of Inverse mix columns step.[12]

Round keys used for each round of encryption and decryption are generated from

original key through Key Expansion Unit. This key expansion unit generates a multiple

round keys for transformation of input state array during each round. Detailed working of

this unit is explained later in this chapter.[12]

The overall structure of Advance Encryption Standard (AES) algorithm with all

rounds and key expansion is shown in the Figure 4 below.

 19

Figure 4 : Structure of AES – 128 bit encryption key [12][13]

 20

3.3.1 Substitute Bytes

Bytes Substitution is a non-linear transformation of bytes which acts on each and

every byte of the input state array in isolation to generate a new byte value using an

correspondent element in S-box substitution table. The action of this transformation is

illustrated in Figure 5.[11][12]

Figure 5 : Block level representation of byte substitution [11]

S-Box is the look up table of 16x16 elements where the entries are constructed by a

combination of GF(2^8) arithmetic and bit scrambling. Byte substitution which is

performed using the S-Box is invertible and it is constructed by following two

transformations:[11][12]
 21

1. First step is to find the multiplicative inverse in GF(2^8) which is based on the

irreducible polynomial x8+x4+x3+x+1 with the {OO} element is mapped to itself

as there is no multiplicative inverse of this element.[11][12]

2. Second step is to perform bit scrambling. This is done by applying the following

transformation to each and every bit bi of the corresponding byte stored in the S-

Box look up table. This is also known as the affine transformation.[11][12]

where ci - bits corresponding to hex value 63

Thus , the overall transformation after second step, which is bit scrambling, can

be visualized as shown in the figure below.

Figure 6 : : Bit Scrambling of byte substitution [11][12]

 22

For decryption, similar steps are performed but in reverse order. Firstly the bit

scrambling is done and later on the multiplicative inverse of the hex value is found. Bit

scrambling for decryption is performed by the following equation [12]:

where ci - bits corresponding to hex value 05

The 16x16 S- Box table generated by the above algorithm can is shown in Table

2 and Table 3 below.

Table 2 : S- Box Hex for encryption [10][13]

 23

Table 3 : S- Box Hex for decryption [10][13]

Now for example if we have a hex value of 75 in input state array then it will be

replace the element at 7th row and 5th column of the S-Box.
 24

Verilog implementation of the byte substitution is as follows:

25
26
27
 28

Verilog implementation of S-Box is as follow:

29
30
31
32
33
 34

3.3.2 Shift Rows

The shift row transformation of state array is cyclical shift of bytes within the

rows of the array.

For encryption, bytes are shifted towards left and it happens in the following order :

1. No shifting is done in the first row

2. Shift bytes in second row by one.

3. Shift bytes in third row by two.

4. Shift bytes in fourth row by three.

This process of shifting in during encryption is illustrated in the following figure (Fig.7).

Figure 7 : Shift Row transformation for encryption [11]

 35

For decryption, bytes are shifted towards right and it happens in the same order as the

encryption which as follows:

1. No shifting is done in the first row

2. Shift bytes in second row by one.

3. Shift bytes in third row by two.

4. Shift bytes in fourth row by three.

This process of shifting in during decryption is illustrated in the following figure (Fig.8).

Figure 8 : Shift Row transformation for decryption

Note that the plain text or data which is coming in the AES unit is written

column-wise in State array. Thus, the first four bytes are written in the first column of the

state array, second four bytes are written in second column and so on and so forth. As a

result by shifting the rows in this way scrambles up the byte order of the input state array
 36

Verilog implementation of the Shift Rows is as follows:

 37

3.3.3 Mix Column

Mix column transformation is performed on each and every column of the state

array independently with a help of a function. In this step each byte of the state array is

substituted by twice the first byte in addition with three times of the second byte plus

third byte and fourth byte. Thus, Mix Column along with Shift Row transformation

develops diffusion in the cipher text.[9][12]

This steps involved in the Mix Column transformation for encryption can be

expressed by the following equations.[12]

Similarly the Mix Column transformation for decryption can be expressed by the

following equation.[12]
 38

The entire flow of the Mix column transformation looks as shown in the figure 9.

Figure 9 : Mix Column operation on state array

 39

Verilog implementation of the Mix Column is as follows:

40
41
 42

Verilog implementation of sub-module word_mixcolumn is as follows:

 43

Verilog implementation of sub-module byte_mixcolumn is as follows:

 44

3.3.4 Add Round Key

Add Round Key operation is the critical step where the encryption key comes to

picture. In this step of AES process the round key is applied to the input state with

Exclusive-Or operation. Round keys for this operation are generated by Rijndael’s key

expansion algorithm which is explained later in this chapter.[9][11]

In this step each word of input state array is XOR-ed with the corresponding word

of the round key. It is a basic bitwise operation between the two element of matrices. This

can be expressed by the following equation.[11]

In this equation, the “round” ranges from 0 to 10 for AES 128 bit algorithm used

in this project. For the first round the round key will be same as key inserted. Later on,

the round keys will generated by the permutation and combination of the original

key.[11]

The Add Round key transformation can be illustrated by the following figure.
 45

Figure 10 : Add Round Key operation on state array

Verilog implementation of the Add Round Key is as follows:

46
 47

3.3.5 Key Expansion

In this project we are using 128- bits of encryption key for AES algorithm. Now

this key is arranged in the form of 4x4 bytes matrix. Each word constitute of 4 bytes.

Now, the first word of the key is placed in the first column of the matrix , and so on. For

entire encryption or decryption process to complete, it requires 44 words in total

considering that each round will consume 4 words from the key scheduler. The Key

Expansion algorithm is used to generate new 128-bit key for each round from the original

128-bit encryption key through various permutation and combination [12].The entire

flow of the key scheduling process can be illustrated by the following figure.

Figure 11 : Key Expansion operation on the Original Cipher key

 48

The first four words of expansion key from the original cipher key. Thus , the

first four bytes of the key forms word 0 (W0) , the next four bytes form word 1 (W1) and

so on and so forth.[12]

Assume, the four words for the round key of the ith round as :

where i = round * Nb , Nb = 4

Thus, in order for these words to serve as the round keys, i should be multiple of

4 as evident from the equation above. Further, these words will serve as round key in the

(i/4)th round. Now, in order to determine the words for the next round we make use of the

words from previous round. This can be illustrated by the equations. [12]

From the above equation it is clear that expect the first word of the next round all

the other words can be formulate by simple XOR operation. This XOR operation will

take place between previous word of the current set and the corresponding word in the

previous set. [12]

 49

Moving forward, the calculation of the first word for the new set involves

multiple operations. This is explained by the following set of equations.[12]

From the above equation, it is visible that the first word of the current set is

formulated by the XOR operation between the first word of the previous set and function

(i.e. g()) of last word of the previous set (i.e. Wi+3).[12]

Further, the calculation of the function g( ) involves the following three steps:[12]

1. Shift the bytes of the last word of previous set by 1 position.

2. Substitute each and every byte of the word with the corresponding byte from

16x16 lookup table (i.e. S-Box). This step is similar to the step involved in

Substitute Bytes transformation.

3. Perform XOR operation between the set of bytes obtain from step 2 with

rounding constants. Round constant is the word which padded by zero’s for the

least significant bytes.

 50

Round Constant:

For the ith round, round constants can be denoted by RCON [i]. In this round

constant three of the least significant bytes have zero as the value. Thus , the round

constant word for ith round can be visualized as shown in the equation below.[12]

Note that the only non – zero byte in the round constant is RCi . RCi is the

recursive value which is calculate in the following manner.[12]

Thus, the RCON [i] can be defined as [xi-1 0 0 0] where x is equal to 0x02

Hence, the values for RCi for the 10 rounds of encryption/ decryption process can be

viewed as the following table.[12]

i 0 1 2 3 4 5 6 7 8 9 10

xi 01 02 04 08 10 20 40 80 1b 36 6c

Table 4: Round constant values [2]

Verilog implementation of the Key Expansion or key scheduler is as follows:

51
52
53
54
 55

3.3.6 Top Design Module – Synchronization

In the design top module we have instantiated all the sub-modules as described

earlier in this chapter. We have used bottom-up approach where we have developed all

the sub modules and thereafter integrated into the top module. We have create a module

called AES which included all the sub-modules for substitution of bytes, shifting of the

rows, mixing of the column and adding the round keys. Thereafter, we have also used a

FIFO as the storage device whose depth is 16*128 bits. The major role of FIFO is output

the data in the same as they were supplied to RTL. The entire block of RTL can be well

illustrated by the following figures.

Figure 12 : Top Block for Cryptography

 56

Figure 13 : Internal View of Cryptography Unit

Verilog implementation of the top of Design Under Test is as follows:

 57

crypto_fifo.v ( DUT Top) :

 58

aes.v :
59
60
61
62
63
 64

fifo.v :
 65

Chapter 4

Verification and Validation

4.1 Overview

In this chapter, we have covered test infrastructure i.e. testbench for the Design

developed for AES – 128-bit encryption algorithm. The testbench has been developed

using Verilog HDL using Synopsys VCS tool. Further, we have validated the correctness

of the result for the test against C implementation of the algorithm. Moreover, to check

the strength of our test parameter, code coverage reports were generated.

4.2 Testbench

In this project, we have used Verilog HDL language to develop the test

infrastructure or testbench for verifying the design developed for AES – 128-bit

algorithm. Major components of the testbench which are been used in this project are:

1. Instantiation of Design Under Test for AES – 128 bit

2. Input Vectors generator

3. Comparator

4. Monitor
 66

This is well illustrated in the figure below.

Figure 14 : Verification – Block Diagram

In this testbench, we have generated randomized input test vector and stored into

a file called abc.txt. These test vectors are passed to design as well validation block

developed in the testbench. Thus, the data that was input to DUT is compared with data

that is given out by the design. If both these data are same i.e. if the input data which

were written into the validation block, as well as DUT, is same as data is given out by the
 67

DUT after decryption then comparator won’t throw any error. Further, we have to

stimulate other inputs of the design along with generating the clock to supply the design.

Along with these randomize test cases, we also generated the manual test cases

which were stored in the file called input.txt. These cases were mainly developed to

improve coverage of test. We have used Synopsys VCS simulator for this project. In

order to compile the code following command is been used.

This will compile entire DUT instantiated in the design. It will throw an error if

there are any illegal transaction or logical or syntax mistakes. After the successful

compilation of DUT and connecting the Test environment to the DUT, we can run the

simulation process. In order to run the simulation following command is been used.

In the simulation, the test parameters are passed to the DUT from the testbench

and result from DUT is compared with the input stream of 128-bit data. The simulation

result received from the VCS simulator is shown in the following figures.

Verilog implementation for test fixture is as follows:

68
69
 70

Figure 15 : Simulation Results – Showing write and read of 128 bit data
 71

Figure 16 : Simulation Results – Ending with zero error

 72

4.3 Validation

In order to validate the encryption model, we have developed the C - model for

the AES encryption with the same specification. We did pass the same test cases in the C

- program and captured the simulation result. In this model, we had to define a static S-

box which was used for substitution of the bytes in the state array.

The GCC compiler was used to simulate the model. In order to compile the C-

program and run the simulation following command was used.

C - program of Advance Encryption model is as follow:

 73

main.c
74
 75

aes.c
76
77
78
79
80
 81

aes.h
 82

Figure 17 : Simulation: C program model

 83

Figure 18 : Simulation – End for C - Model

 84

4.4 Code Coverage

Code coverage is mainly used to check whether the test cases used in the

testbench is able to pass through every line. Further, it evaluates the number of conditions

used in RTL was been executed by the test cases.

Thus, the entire report generated by the Synopsys VCS tool. In order to generate

these report following commands are been used.

These reports generated are in the HTML format. Thus, they can be accessed

through any browser.

After analyzing these report, we developed directed test vectors in order to

improve coverage. Those test vectors were saved in the text file called "input.txt".

Thereafter, we ran both the set of inputs through the DUT and got the following code

coverage results.
 85

Figure 19 : Code Coverage Report

 86

Chapter 5

Synthesis

5.1 Overview

For many years, manual process was followed for logic verification by drawing

interconnections between elements to generate a “gate-level netlist”. Designer would

translate HDL into schematic manually also. Then synthesis tools has taken over this

objective to minimize the register transfer level code to the “gate-level netlist”. This

procedure is known as synthesis. [15]

Synthesis starts with defining constraints for every block within the design. For

any particular block, all the constraints defined for any signal within design are

associated with the clock . In addition to this a library file also requires along with the

constraints specified. This file contains information such as temperature, volt, current and

other parameters related to the cell of the library which are used to form actual hardware.

[15]

Design compiler synthesizes the RTL code into structural level by using the

timing constraints, thereby generating a mapped gate level netlist. [15]

 87

Figure 20 : Synthesis Process - Graphical View [15]

Basically synthesis design flow consists of three major phases namely

“Translation”, “Optimization” and “Mapping”

In this chapter, we illustrate how the Synopsys Design Compiler tool synthesize

the AES model.

5.2 Synthesis Methodology

To perform all the synthesis steps, A tickle (Tcl) script was devolved to

synthesize the AES design model.

 88

In the synthesis process the first step is to read all the components that needed to

be synthesized in hierarchical design. For DC the input design is written with the used of

hardware description language such as Verilog in the first step in synthesis. It was

necessary to consider data management design, design partitioning and HDL coding style

when writing a HDL code. These are directly affected the synthesis and the process of

optimization.

The second step is to specified the libraries. The design depends upon startup file

which is commonly called .synopsys_dc.setup for the design compiler tool keeping in

working directory. Design compiler required the minimal information

that is in startup file as Tcl

format. [15]

Library location specified by using complete path with file name. To locate the

library files, design compiler uses the search path that is defined in the search_ path.

Search path involves the current working directory. In our project search path was

defined as
 89

Design compiler uses library files that begins with the leftmost directory defined

in the search_path and utilizing of first matching library that is identity’s with the use of

link library, target library, symbol library in the script. In our project “lsi_10k ” library

was provided with Synopsys synthesis tool.

Target and link libraries are considered as technology libraries. These both

libraries specify the semiconductor vendors, set of cells and related information like

names of cell, names of cell pins, delay arcs, rules of design, pin loading and operating

conditions. [14]

The symbol library includes cells graphical representation in technology library.

During the use of graphical “front-end tool” and “design analyzer”, the symbol library

is used for schematically representation of the gates. [15]

After specifies the libraries the RTL designs and gate-level netlist both read by

design compiler. HDL compiler is used by design compiler to read RTL designs. As

compare to HDL compiler the specialized netlist reader used the minimum memory space

and fast reads the netlists. [14]

 90

Design compiler reads , analyze and elaborate the design from startup file by

following commands:

After the reading of design the design compiler needed design environment before

optimization. Design environment were defined by the following set of commands below:

The next step is setting the design constraints. To control design synthesis the

Design compiler used the rules of design and optimization for constraints. In vendor

technology library the design rules provides to make sure that product working as
 91

intended and meeting the specifications. The design goals for area “maximum area”, and

timing “ clocks , input and output delays”. DC attempts to meet these goals and design

rules are not violated in the process of optimization. [14]

These constraints are specified with the use of following commands:

After set the design constraints the next step is to compile the design. To optimize

the design there are two basic compile strategies top-down and bottom-up strategy. Top-

down strategy compiles the designs of top-level and its sub designs together. settings of

constraints and environment are specified with respect to the top-level of design.

Moreover top-level strategy checks the dependencies of inter block automatically. [15]
 92

5.3 Synthesis Script And Reports

5.3.1 Synthesis Script : .synopsys_dc.setup

 93

5.3.2 Synthesis Timing Report

 94

5.3.3 Synthesis Constraint Report

 95

5.3.4 Synthesis Area Report

 96

5.3.5 Synthesis Attribute Report

Few samples are shown due to size of the report

 97

Chapter 6

Conclusion

In the entire project, 128-bit algorithm was developed and verified for the AES

encryption standard using the Verilog HDL. To obtain accurate analysis of the reports

and functionality of the algorithm Synopsys tools such as VCS and Design Compiler tool

were used. After getting the output from RTL it was validated against the reference

model which was developed in C language.

The entire AES 128-bit algorithm proposed for encryption of the data was

designed in multiple modules. These modules contained the individual functionality of

the algorithm which was mainly byte substitution, shift rows, mix column, adding the

round keys, key expansion, and S-box. Designing a software-based algorithm to encrypt a

hardware was a difficult task. This algorithm has a good level of security as it breaks the

incoming data into several parts and applies the different combination of the key during

10 rounds of encryption. Hence, it becomes impossible to break into the cryptographic

unit and decode the data with an appropriate key. We had to face several difficulties

while developing RTL for AES 128-bit. These challenges were like during synchronizing
 98

all the units together we were losing the intermediate data, decryption issues and so on.

We observed the data streams and through various trails, we were able to eradicate the

issues successfully.

The RTL design was rigorously verified and validated using features of Verilog.

The test fixture utilizes randomized test cases generated using the $random function of

Verilog and its clock is generated using always block. The test bench was run through

Code Coverage to measure the extent of verification. The overall coverage achieved was

84.35%. A Verilog behavioral model was used to validate the design model against the

input test cases. This model is further validated against a software implementation of

AES 128-bit (in C).

Finally, we verified that the design is synthesizable using Synopsys Design Vision

tool . We generated the gate-level netlist for the RTL using LSI_10K technology library.

We generated timing, area and power reports. The results shows that the design can

operate at 50MHz frequency and zero slack was found at that frequency.
 99

There are few aspects pertaining to this project that can be explored in future. The

design of the entire encryption and decryption unit can be made pipelined which may

result in better throughput and improve the timing of the design. Further, if the test

fixture was developed in System Verilog then we could have verified against functional

coverage of the design.

 100

References

1. M. Wolf and A. Weimerskirch, “Hardware Security Modules for Protecting

Embedded Systems.” ESCRYPT Inc. – Embedded Security, Munich, Germany.

2. “Data security,” Wikipedia, 27-Oct-2017. [Online]. Available:

https://en.wikipedia.org/wiki/Data_security. [Accessed: 19-Nov-2017].

3. Yier Jin, “Introduction to Hardware Security,” Electronics, vol. 4, issue. 4, pp.

763-784, 2015

4. A. P. Fournaris and N. Sklavos, “Secure embedded system hardware design – A

flexible security and trust enhanced approach,” Computers & Electrical

Engineering, vol. 40, no. 1, pp. 121–133, 2014.

5. L. Khelladi, Y. Challal, A. Bouabdallah, and N. Badache, “On security issues in

embedded systems: challenges and solutions,” International Journal of

Information and Computer Security, vol. 2, no. 2, p. 140, 2008.

6. L. Ayala and L. Ayala, “Chapter 4,” in Cybersecurity lexicon, Berkeley, CA:

Apress, 2016, pp. 40–50.

 101

7. “Advanced Encryption Standard,” Wikipedia, 16-Nov-2017. [Online]. Available:

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard. [Accessed: 19-

Nov-2017].

8. “Cryptography,” Wikipedia, 13-Nov-2017. [Online]. Available:

https://en.wikipedia.org/wiki/Cryptography#Modern_cryptography. [Accessed:

19-Nov-2017].

9. Hardik Manocha and Samnit Dua , “Verilog Design of Advanced Encryption

Standard with Dynamic S-Box,” B. E. thesis, G B Pant Government Engineering

College, Delhi, 2007.

10. Artur Gielata, Pawel Russek, Kazimierz Wiatr, “AES hardware implementation in

FPGA for algorithm acceleration purpose” ICSES 2008 International Conference

On Signals And Electronic Systems Kraków, September 14-17, 2008, pp. 1–4

11. Z. Alaoui-Ismaili, A. Moussa, A.Ei Mourabit and K. Amechnoue, “Flexible

Hardware Architecture for AES Cryptography Algorithm,” IEEE Int. Conf.

Communications, 2009, pp. 1–4.

12. A. Kak, “Lecture 8: AES: The Advanced Encryption Standard,” in Lecture Notes

on “Computer and Network Security”, Purdue University, West Lafayette, IN ,

19-Nov-2017.
 102

13. W. Stallings, “Chapter 5,” in Cryptography and network security principles and

practices, Fourth., Boston, MA: Pearson, 2017, pp. 134–173.

14. “Design Compiler User Guide,” google, 03-Nov-2017. [Online]. Available:

http://beethoven.ee.ncku.edu.tw/testlab/course/VLSIdesign_course/course_96/To

ol/Design_Compiler%20_User_Guide.pdf. [Accessed: 17-Nov-2017].

15. Himanshu Bhatnagar, “ADVANCED ASIC CHIP SYNTHESIS,” Using

Synopsys®, Design Compiler™, Physical Compiler™ and PrimeTime®, Second

edition, Kluwer Academic Publishers, New York, 2002.