Area, Delay, and Power Characteristics of Standard-Cell Implementations of the AES S-Box
- 233 Downloads
Cryptographic substitution boxes (S-boxes) are an integral part of modern block ciphers like the Advanced Encryption Standard (AES). There exists a rich literature devoted to the efficient implementation of cryptographic S-boxes, wherein hardware designs for FPGAs and standard cells received particular attention. In this paper we present a comprehensive study of different standard-cell implementations of the AES S-box with respect to timing (i.e. critical path), silicon area, power consumption, and combinations of these cost metrics. We examine implementations which exploit the mathematical properties of the AES S-box, constructions based on hardware look-up tables, and dedicated low-power solutions. Our results show that the timing, area, and power properties of the different S-box realizations can vary by up to almost an order of magnitude. In terms of area and area-delay product, the best choice are implementations which calculate the S-box output. On the other hand, the hardware look-up solutions are characterized by the shortest critical path. The dedicated low-power implementations do not only reduce power consumption by a large degree, but they also show good timing properties and offer the best power-delay and power-area product, respectively.
KeywordsAdvanced Encryption Standard (AES) substitution box (S-box) inversion in the finite field GF($28$) standard cell implementation silicon area critical path delay power consumption
The authors would like to thank Johannes Wolkerstorfer and David Canright for providing the HDL source code of several AES S-box implementations. The research described in this paper has been supported by the Austrian Science Fund (FWF) under grant P16952–N04, the FIT-IT initiative of the Austrian Federal Ministry of Transport, Innovation, and Technology (project SNAP), and the EPSRC under grant EP/E001556/1. The research described in this paper has also been supported, in part, by the European Commission through the IST Programme under contract IST-2002-507932 ECRYPT. The information in this document reflects only the authors’ views, is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.
- 1.Bertoni, G., Macchetti, M., Negri, L., & Fragneto, P. (2004). Power-efficient ASIC synthesis of cryptographic Sboxes. In Proceedings of the 14th ACM Great Lakes Symposium on VLSI (GLSVLSI 2004) (pp. 277–281). ACM Press.Google Scholar
- 2.Canright, D. (2005). A very compact S-Box for AES. In Cryptographic Hardware and Embedded Systems—CHES 2005, vol. 3659 of Lecture Notes in Computer Science (pp. 441–455). Springer.Google Scholar
- 3.Chodowiec, P., & Gaj, K. (2003). Very compact FPGA implementation of the AES algorithm. In Cryptographic Hardware and Embedded Systems—CHES 2003, vol. 2779 of Lecture Notes in Computer Science (pp. 319–333). Springer.Google Scholar
- 4.Daemen, J., & Rijmen, V. (2002). The Design of Rijndael: AES—The Advanced Encryption Standard. Springer.Google Scholar
- 5.Feldhofer, M., Lemke, K., Oswald, E., Standaert, F.-X., Wollinger, T., & Wolkerstorfer, J. (2005). State of the Art in Hardware Architectures. ECRYPT deliverable D.VAM.2, available for download at http://www.ecrypt.eu.org/documents/D.VAM.2-1.0.pdf, Sept.
- 7.Hodjat, A., Hwang, D. D., Lai, B.-C ., Tiri, K., & Verbauwhede, I. M. (2005). A 3.84 Gbits/s AES crypto coprocessor with modes of operation in a 0.18-μm CMOS technology. In Proceedings of the 15th ACM Great Lakes Symposium on VLSI (GLSVLSI 2005) (pp. 351–356). ACM Press.Google Scholar
- 8.Li, H. (2004). A parallel S-box architecture for AES byte substitution. In Proceedings of the 2nd International Conference on Communications, Circuits and Systems (ICCCAS 2004), vol. 1 (pp. 1–3). IEEE.Google Scholar
- 9.Lidl, R., & Niederreiter, H. (1996). Finite Fields, vol. 20 of Encyclopedia of Mathematics and Its Applications. Cambridge University Press.Google Scholar
- 10.Macchetti, M., & Bertoni, G. (2003). Hardware implementation of the Rijndael SBOX: A case study. ST Journal of System Research, 0(0), 84–91, July.Google Scholar
- 11.McLoone, M., & McCanny, J. V. (2001). High performance single-chip FPGA Rijndael algorithm implementations. In Cryptographic Hardware and Embedded Systems—CHES 2001, vol. 2162 of Lecture Notes in Computer Science (pp. 65–76). Springer.Google Scholar
- 12.Mentens, N., Batina, L., Preneel, B., & Verbauwhede, I. M. (2005). Systematic evaluation of compact hardware implementations for the Rijndael S-box. In Topics in Cryptology—CT-RSA 2005, vol. 3376 of Lecture Notes in Computer Science (pp. 323–333). Springer.Google Scholar
- 13.Morioka, S., & Satoh, A. (2002). An optimized S-Box circuit architecture for low power AES design. In Cryptographic Hardware and Embedded Systems–CHES 2002, vol. 2523 of Lecture Notes in Computer Science (pp. 172–186). Springer.Google Scholar
- 14.National Institute of Standards and Technology (NIST) (1999). Data Encryption Standard (DES). Federal Information Processing Standards (FIPS) Publication 46-3, Oct.Google Scholar
- 15.National Institute of Standards and Technology (NIST) (2001). Advanced Encryption Standard (AES). Federal Information Processing Standards (FIPS) Publication 197, Nov.Google Scholar
- 16.Pramstaller, N., & Wolkerstorfer, J. (2004). A universal and efficient AES co-processor for field programmable logic arrays. In Field Programmable Logic and Application—FPL 2004, vol. 3203 of Lecture Notes in Computer Science (pp. 565–574). Springer.Google Scholar
- 17.Satoh, A., Morioka, S., Takano, K., & Munetoh, S. (2001). A compact Rijndael hardware architecture with S-Box optimization. In Advances in Cryptology—ASIACRYPT 2001, vol. 2248 of Lecture Notes in Computer Science (pp. 239–254). Springer.Google Scholar
- 18.Tillich, S., Feldhofer, M., & Großschädl, J. (2006). Area, delay, and power characteristics of standard-cell implementations of the AES S-box. In Embedded Computer Systems: Architectures, Modeling, and Simulation—SAMOS 2006, vol. 4017 of Lecture Notes in Computer Science (pp. 457–466). Springer.Google Scholar
- 19.Tillich, S., & Großschädl, J. (2006). Instruction set extensions for efficient AES implementation on 32-bit processors. In Cryptographic Hardware and Embedded Systems—CHES 2006, vol. 4249 of Lecture Notes in Computer Science (pp. 270–284). Springer.Google Scholar
- 20.Wolkerstorfer, J., Oswald, E., & Lamberger, M. (2002). An ASIC implementation of the AES SBoxes. In Topics in Cryptology—CT-RSA 2002, vol. 2271 of Lecture Notes in Computer Science (pp. 67–78). Springer.Google Scholar