2012 International Conference on Communication Systems and Network Technologies

HARDWARE EFFICIENCY COMPARISON

OF AES IMPLEMENTATIONS
Raneesha K, Rema Vellody and R Nandakumar1
VLSI Design Group

National Institute of Electronics and Information Technology

Calicut, Kerala, India
Email:{esha20mustafa,rvellody.rema,nanda24x7}@gmail.com

Abstract—The AES algorithm can be implemented in
different styles at programming levels. The paper
compares the hardware efficiency of different AES
implementations with respect to their area, speed and
power performance especially in two different styles –
one using controller and the other one is iterative
method. These designs were described using Verilog
HDL, simulated using Modelsim® and prototyped in
Altera’s platform FPGA.
Index Terms— AES, VLSI Cryptosystems, Rijndael,
power analysis, FPGA, hardware efficiency
I. INTRODUCTION
The importance of cryptography applied to electronic
data transcactions has acquired an inevitable relevance
during the last few decades. Large volumes of
information in various fields, such as financial and legal
files, medical reports, bank services via Internet,
telephone conversations, and e-commerce transactions
are generated and interchanged among millions of users
everyday. All these examples of applications and several
others deserve a significant treatment from the security
point of view, not only in the transport of such
information but also in its storage. In this sense,
cryptography techniques ,particularly at hardware levels,
are especially applicable.Hence,this implementation will
find application in wireless security like military
communication and mobile telephony where there are a
greater emphasis on the complexity of computation and
on the speed of communication.
In cryptography, the AES, also called as Rijndael , is a
block cipher adopted as an encryption standard by the US
government, which specifies an encryption algorithm
capable of protecting sensitive information [1, 2].The
Rijndael algorithm is a symmetric block cipher that can
encrypt (encipher) and decrypt (decipher) information.
Encryption converts data into an unintelligible form
called cipher-text. Decryption of the cipher-text converts
the data back into its original form, which is called
plaintext. The AES algorithm is supports keys length of
128, 192, and 256 bits to encrypt and decrypt data in
blocks of 128 bits [3, 4],thus the name AES-128,AES-
192 and AES-256 respectively . The hardware
implementation of the AES algorithm can provide high
performance, low cost for specific applications and
reliability ,compared to its software counterparts.
The paper is organized as follows: description of Rijndael
algorithm is referred in section II; section III describes
hardware and software co-design and implementation
issues,section IV describes comparison
results.Conclusion is given in sectionV.
II. AES ALGORITHM
The AES algorithm[1] is a symmetric block cipher that
processes data block to cipher in four different steps that
repeated for Nr number of rounds.The steps are substitute
byte,shift rows,mix columns and add round key.The
value of Nr depends on the key length-10 rounds for AES-
128, 12 rounds for AES-192 and 14 rounds for AES-256
The current implementation supports the AES-128
Encryption. Fig.1 shows the AES-128 encryption
procedure.
The architecture operating on the intermediate result
calls State, which is array of bytes. The array has four

978-0-7695-4692-6/12 $26.00 © 2012 IEEE 867

872
869
DOI 10.1109/CSNT.2012.187
rows and four columns for the AES-128. The flow of
these operations are as depicted below.
In shiftrow operation, each row of the state is shifted
cyclically to the left. The number of shift depends on the
number of the row. The top row is not shifted and the last
three rows are cyclically shifted over 1, 2, and 3
bytes,respectively.

Figure 3.Shift rows cyclically shifts the last three rows in the state
C. MixColumn phase
MixColumn operation performs on the state column by
column, and each column is treated as a four-term
Polynomial overGF(28 ) .As a result of this
multiplication, the new four bytes in a column are
generated as follows
A’=({02}.A)^({03}.B)^({01}.C)^({01}.D)
Figure 1.The AES-128 Encryption Algorithm B’=({01}.A)^({02}.B)^({03}.C)^({01}.D) (1)
A. SubBytes phase C’=({01}.A)^({01}.B)^({02}.C)^({03}.D)
Each byte of the state is substituted with a 8-bit value D’=({03}.A)^({01}.B)^({01}.C)^({02}.D)
from the S-box. The S-box contains a permutation of all The operation of ‘^’ is XOR operation modulo 2 and
possible 256 8-bit values. It is a nonlinear operation and the ‘.’ is a multiplication of polynomials modulo an
the only non-linear transformation in this procedure. The irreducible polynomial m(x)=x8+x4+x3+x+1.The
8
S-box is gained by a multiplicative inverse over GF(2 ) operation of {02}. X can be computed using Verilog HDL
and an affine transform .The subbytes operation is language:
required for both encryption and key expansion and its {02}. X = {X[6: 0],1' b0}^(8 ' h1B&{8{ X[7]}}). (2)
inverse is done for decryption. Its implementation has a So {03}_ X can be generated as follows:
direct impact on the overall throughput.
{03}. X =({02}. X )+{01}. X (3)

Figure 2.subbytes applies the sbox to each byte of the state

B. ShiftRows phase Figure 4.Mix columns operates on the state column-by-column

870
873
868
D. AddRoundKey phase
AddRoundKey operation is only a simple logical XOR
of the state using a round key which is produced by the
key expansion operation.
Figure 5.Add Round Key XORs each column of the state with a word
from the key schedule
E. Key expansion phase
The key expansion operation generates a key schedule of
11 round-key of 16 bytes. Each of four consecutive bytes
form a word, denoted wi .Taking this into account that
the first round-key is the initial key and to generate every
wi (except w0 -w3 ) the routine uses the previous w
XOR w i-4 (except i mod 4 = 0 ).To get the wi, when the i
mod 4 = 0,the operation has four stages, RotWord,
SubWord, XOR Rcon[ i / 4 ] and XOR w i-4. For the
function RotWord a word [a0,a1,a2,a3] is the input,then
performs a cyclic permutation, and returns the word
[a1,a2,a3, a0] SubWord is a function that takes a four byte
input word and applies the S-box to each of the four bytes
to produce an output word. Rcon[ i / 4 ],contains the
values given by[ xi / 4-1
,{00},{00},{00}], with xi
being powers of x ( x is denoted as {02}) in the field
GF(28)[5].Every following word,w[i],is obtained by
performing XOR of the previous word,w[i-1],and the
word Nk(Number of 32-bit words comprising the Cipher
Key) positions earlier,w[i-Nk].
III.AES DESIGN
In this paper AES is implemented in two different styles
at the description level(Verilog HDL).In the first
method, each step of the Rijndael algorithm is declared as
a module. These individual modules are then called to the
encryption and decryption modules. All these modules
are finally combined in a single module in which the
encryption and the decryption processes are controlled by
a mode key.In the second method ,we implement a
controller which control the encryption and decryption
processes.Along with the steps of the Rijndael
algorithm,the controller is also programmed as an
individual module ,which are then instantiated into the
top module of the program.
IV. IMPLEMENTATION AND RESULTS
Both the programs are simulated using Mentor Graphics
Modelsim® and are synthesised using QuartusII.The
target is EP2C35F672C6 of CycloneII® family.
This paper compares the following parameters for the test
programs in reference to the compilation report-
Combinational ALUTs,Dedicated Logic Registers,Total
Registers,Total Pins and Block Memory Bits.Power
Analysis is also performed and the parameters –Total
Thermal Power Dissipation,Core Static Thermal Power
i-1 Dissipation and I/O Thermal Power Dissipation are
compared based on the analysis.
a. Simulation Results
The simulation results are shown in figures 6 and
7.here,in the iterative method the output is obtained in
single clock run while its not so in the controller method .
/ 4-1
Figure6:Simulation Report of controller based imple mentation of AES
Note:
Encryption:(clk=1,reset=1,load_i=1,decrypt_i=0,data_i=5
4776f204f6e65204e96e652054776f,key=5468617473206
d79204b756e67204675,data_o=29c3505f571420f640229
9b31a02d73a)
Decryption:(clk=1,reset=1,load_i=1,decrypt_i=1,data_i=
29c3505f571420f6402299b31a02d73a,key=5468617473
206d79204b756e67204675,data_o=54776f204f6e65204e
96e652054776f)
871
874
869
 c.Hardware Test Results

C M
L o Input Key Output Text
k d Text
e

0 54 77 6F 20 54 68 61 74 29 C3 50 5F 57
4F 6E 65 20 73 20 6D 79 14 20 F6 40 22
4E 69 6E 65 20 4B 75 6E 99 B3 1A 02 D7
20 54 77 6F 67 20 46 75 3A
Figure7:Simulation Report of iterative implementation of AES
1 29 C3 50 5F 54 68 69 73 54 77 6F 20 4F
Note: 57 14 20 F6 20 69 73 20 6E 65 20 4E 69
40 22 99 B3 6F 75 72 20 6E 65 20 54 77
Encryption:(clk=1,mode=1,plntxt=54776f204f6e65204e9 1A 02 D7 3A 6B 65 79 2E 6F
6e652054776f,key=5468617473206d79204b756e672046 0 4D 61 69 6E 54 68 61 74 84 77 9A 7C EE
75,outtxt=29c3505f571420f6402299b31a02d73a) 20 50 72 6F 73 20 6D 79 22 A4 8C DE
6A 65 63 74 20 4B 75 6E AA B9 26 B6 36
Decryption:(clk=1,mode=0,ciphertxt=29c3505f571420f6 2D 41 45 53 67 20 46 75 3D 2F

402299b31a02d73a,key=5468617473206d79204b756e67 1 84 77 9A 7C 54 68 69 73 4D 61 69 6E 20
EE 22 A4 8C 20 69 73 20 50 72 6F 6A 65
204675,outtxt=54776f204f6e65204e96e652054776f ) DE AA B9 26 6F 75 72 20 63 74 2D 41 45
B6 36 3D 2F 6B 65 79 2E 53
b. Synthesis Result
Table 1 and 2 given below compares the results of Table3.Function Table

Compilation and Power Analysis done.

In table 3,mode 0 represents encryption process and mode
Table 1:Comparison of Compilation Report 1 represents decryption process.
Signaltap Logic Analyzer waveform of the test programs
PARAMETRS ITERATIVE PROGRAM
PROGRAM USING are shown in figure 8 and 9.
CONTROLLER
CombinationalALUTs 31 1305
Dedicated Logic Registers 71 674
Total Registers 71 674
Total Pins 130 133
Block Memory Bits 0 0

Figure8:Signaltap of iterative implementation of AES

PARAMETER ITERATIVE PROGRAM USING

PROGRAM CONTROLLER

Total Thermal Power 124.79 mW 125.87 mW

Dissipation
Core Static Thermal 79.97 mW 79.98 mW
power Dissipation
I/O Thermal Power 44.82 mW 45.90 mW Figure9:Signaltap of controller based implementation of AES
Dissipation
Table 2:Comparison of Power Analysis Report

V.CONCLUSION
From Table 1 , we can infer that iterative method utilizes
The speed/area/power tradeoff will typically determine
less number of hardware units compared to the controller
the right design approach to VLSI Cryptosystems, for any
method.Similarly, from table2,we can infer that power
given application. Controller based architectures are best
dissipation is more in case of the controller method.
known for their adaptation to pipelined operation and
better observability, useful for design debugging.
Nevertheless, the iterative approach followed is found to

872
875
870
infer lesser hardware than the controller based AES. This reconfiguration,” INTEGRATION, the VLSI journal
difference in hardware units has again resulted in an ,2010,pp. 72-80.
increased power usage by controller based design. The [9] Chih-Peng Fan, Jun-Kui Hwang, “Implementations of
time advantage of Iterative AES over controller based high throughput sequential and fully pipelined AES
AES has been extrapolated from the observation that it processors on FPGA ,”Intelligent Signal Processing and
gives the output in fewer clock cycles whereas controller Communication Systems(ISPCS) IEEE Press, 2007,
based approach took at least 505 clock cycles each to pp.353-356, doi: 10.1109/ISPACS.2007.4445896.
perform encryption and decryption . [10] S.-M. Yoo, D. Kotturi, D.W. Pan, J. Blizzard, “An
AES crypto chipusing a high- speed parallel pipelined
VI.REFERENCES architecture,” Microprocessors and Microsystems vol. 29
,2005, pp. 317–326.
[1] National Inst. Of Standards and Technology,
[11] M.R.M.Rizk, S.Member, M.Morsy, “Optimized
“Federal Information Processing Standard Publication
Area and Optimized “Speed Hardware Implementations
197, the Advanced Encryption standard (AES),” Nov.
of AES on FPGA,” Design and Test Workshop, IEEE
2001
Press, 2007, pp. 207-217, doi:
[2] J. Daemen and V. Rijmen,” AES Proposal: Rijndael,”
10.1109/IDT.2007.4437462.
[3] William Stallings, Cryptography and Network
[12] C.Nalini, Nagaraj,P.V. Anandmohan and D.V.
Security, Principles and Practices, 4th ed. Pearson
Poornaiah “An FPGA Based Performance Analysis of
Education, pp. 134-161, 2006
Pipelining and Unrolling of AES Algorithm,”Advanced
[4] Charlie Kaufman, Radia Perlman, Mike Speciner,
Computing and Communications(ADCOM), IEEE Press,
NetworkSecurity, Private Communication in a Public
2006,pp.477-482,doi: 10.1109/ADCOM.2006.4289939.
World, 2nd ed. Pearson Education, pp. 41-114, 2006
[5] A. Hodjat, I. Verbauwhede, “Area-Throughput Trade-
Offs for Fully Pipelined 30 to 70 Gbits/s AES
Processors,” IEEE TRANSACTIONS ON
COMPUTERS,vol. 55, 2006, pp.366-372.
[6] G. Rouvroy, F.-X. Standaert, F.-X.J.– J. Quisquater,
J.-D. Legat,“Compact and Efficient
Encryption/Decryption Module for FPGA
Implementation of the AES Rijndael Very Well Suited
for Small Embedded Applications,” Proc. ITCC-04
Conf., pp. 583-587, 2004
[7] Chih-Chung Lu and Shau-Yin Tseng, “Integrated
Design of AES (Advanced Encryption Standard)
Encrypter and Decrypter,” Proc. IEEE Int. Conf. on
Application-Specific Systems, Architectures, and
Processors, (ASAP’02), pp. 277-285, 2002
[8] J.M.Granado-Criado, M.A.Vega-Rodriguez and
J.M.Sanchez-Perez, “A new methodology to implement
the AES algorithm using partial and dynamic

873
876
871