Design of Hardware Implementable AES with Minimal Resource Utilization

Design of Hardware Implementable AES with Minimal Resource Utilization

K. Hemalatha,

PG scholar

Dept. of Electronics and Communications Engineering JNTU College of Engineering, Anantapur

Anantapur, AP, India.

B. Doss,

M.Tech, (Ph.D) Lecturer, Dept. of ECE

JNTU College of Engineering Anantapur Anantapur, AP, India.

Abstract: This paper presents a new method for the hardware implementation of AES algorithm. As the resource utilization plays a vital role in all hardware implementations, this paper mainly focused on utilization of minimal resources. It has been achieved with the help of Galois field transformation and masking. In this brief the operations of AES have been mapped from GF (28) to GF (22) as much as possible, so that all the operations have been performed over GF (22) and at last the results are transformed back to GF (28) from GF (22). In addition to this transformation Boolean masking is applied to the encription algorithm.

1. INTRODUCTON

   Physical networks such as Storage Area networks (SANs) require hardware implementable AES algorithm to ensure security. Since Field Programmable Gate Arrays (FPGAs) are attractive options for the hardware implementation of encryption algorithms, most of the early works have been worked in that way. But it requires large FPGA resources. However FPGA boards provide limited amount of resources so the design should be such that to be fit into the board.

   The normal AES has been broken by Kocher et al. for the first time in 1999 with the help of power analysis attacks [1]. Also he stressed that the information leaked from microchips and computers has correlation with the data handled in physical devices. The power analysis attacks habitually targets one particular circuit. Hence identifying the target is the first step in power analysis. Next is estimating a hypothetical model of devices power consumption [2]. Based on that information secret key has been extracted. As most of the present FPGAs are made up of CMOS gates, the power consumption depends on number of bit transitions in the device registers. Moreover the steps involved in encryption algorithm are familiar to everyone.

   With time DPA attack has become stronger. So to overcome those threats numerous works have been done for implementing AES with the ability to defend against the attacks mentioned earlier.

   One of the solutions derived for the above problem is to apply masking schemes for the round function of AES algorithm. The two better masking schemes that suits the AES algorithm is

   1. Multiplicative masking

   2. Boolean masking.

   Realization of multiplicative masking can be done by using standard CMOS cells. But it is proven that multiplicative masking is vulnerable to DPA attacks.

   Whereas the realization of Boolean masking is easier than that of multiplicative masking. So in this Boolean masking is used.

2. DEFINITION OF BOOLEAN MASKING

   Boolean masking is defined as follows. In this masking scheme simple ex-or operation is performed between the random mask and the data [3]. It illustrated as below.

   =

   Where x is input to the mask, x is output of the mask and r refers to random mask.

   The masking operations can be explained in detailed as below. If

   3 = 12

   Then the masked output is given as

   1

   = 11

   2

   = 22

   3

   And = 12

   3

   Then 3 = 3

   Where 3 = 12

   Many research works suggested that Boolean masking is resistant to DPA attacks. With the application of masking schemes, the actual data divides into multiple halves. Moreover this masked data will be distributed uniformly as compared to actual data. For this reason intruders have to estimate compound distributions for each portion of the masked data. As a result the computation complexity gets increased exponentially.

   Among the round operations of AES, only the subbytes operation is non-linear. Hence the masking has to be applied outside of this function. This is illustrated in the below figure 1.

   Masked input AiX

   SubBytes

   Other round functions

   Key from key expansion

   Encrypted data

   Fig 1: masking outside of subbytes step

   As substitution of bytes is the only non linear operation of AES round function, care has to be taken while applying masking schemes [4].

3. CALCULATIONS ON GALOIS FIELDS

   In general a field is more than just a set of elements. The field that contains finite number of elements is usually called as Galois field. Following are the operations that are performed over the GF (28) [5].

   Let a(x), b(x) be two fourth order polynomials, the addition and multiplication operations are given as

   () = 33 + 22 + 1 + 0

   () = 33 + 22 + 1 + 0

   Then the addition is

   () + () = (3 3)3 + (2 2)2 + (1 1)

   + (0 0)

   That means addition operation is nothing but performing Ex- OR operation between the coefficients of like powers.

   Multiplication operation is defined as

   () = () ()

   () = 66 + 55 + 44 + 33 + 22 + 1 + 0

   Where 0 = 0 0

   1 = 0 11 0

   2 = 2 01 10 2

   3 = 3 02 11 20 3

   4 = 3 12 21 3

   5 = 3 22 3

   6 = 3 3

   The result of multiplication does not have four bits like addition operation. So to convert the result modulo operation has to be performed. For AES algorithm it is gets done with the polynomial4 + 1. But on GF (28) the above mentioned polynomial is an irreducible polynomial. Hence the results of those operations need large memory for storage.

4. AFFINE TRANSFORMATION

   Since the computations over the field GF (28) require large memory resources, here comes the need of transformation from GF (28) to GF (22). This can be accomplished with the help of affine transformation.

   If the operation to which masking is to be applied is a linear operation, it follows the re computation of additive constant for each new mask to facilitate the equivalence of the data transformations. But the case is different if the operation is non-linear [5].

5. PREVIOUS WORK

   Yi Wang and Yajun Ha proposed a strategy and they proved that storage requirement has been reduced by 20.5%, if the operations of AES implementation are performed over GF (24) [6]. The block diagram is given in fig 2.

   Plain text

   resultant matrices are given as

   1 1 1 1 1

   0 1 1 1 1

   0 0 0

   1 0 0

   0

   1

   Masking

   values

   0 0 1 1 1

   0 0 0 1 1

   1 1 0

   1 1 1

   1

   0

   Map from GF(28) to GF (24)

   A

   1 0

   0 0 1

   b

   1 1 1 0

   1 1

   Key expansion block

   AES block

   1 1

   0 0 0 1 1 1

   1 0 0 0 1 1

   0

   1

   1 1 1 1 0 0 0 1 1

   Inv Map to GF (28)

   Cipher text

   Fig 2: masked AES over GF (24)

   Affine transformation involved in this implementation is: Let the input values to the map function be (z+m) and m.

   the output values be (z+m) and m. Then the input belongs to GF (28) and the output belongs to GF (24).

   They keep up the relation

   (z+m+m) = map (z+m+m) (1)

   General form of affine transformation is (Ax+b), by applying this to the above equation

   A (z+m+m)+b = A map-1 (z+m+m)+b (2) After mapping from GF (8) to GF (24)

   Map (A (z+m+m)+b)=map(Amap-1(z+m+m)+b) (3)

   The Galois field with 256 elements has irreducible polynomials which means that all the operations have to be performed over those polynomials. The two irreducible polynomials of GF (28) are (x4+x+1) and (x2+x+e). one is of degree 4 and the other is of degree 2. Poerations performed over GF (28) requires large memory resources to store their results. So, for that reason transformation has been done from GF (28) to GF (24). By resolving the above equations the affine transformations over GF (28) can be obtained. And the

   Affine transformation over GF (28) A(x+m)+b+Am

6. PROPOSED AES IMPLEMENTATION OVER GF

   (22)

   As this paper mainly focusing on minimization of resource utilization, GF (22) is chosen to perform masked AES operations. GF (24) is an extension of GF (22), but because of the irreducible polynomials over GF (24), it has need of too big resources to store the results.

   Irreducible polynomials of GF (24):

   1+x+x4 ; 1+x+x2+x3+x4 ; 1+x3+x4

   Hence to reduce the resource requirement an attempt is made in this brief. So that AES can have a feasible implementation in hardware.

   The finite field GF (22) has four elements: 0,1, x,x+1. The primitive polynomial of the field is x2+x+1 [7]. With these elements all the operations involved in the round functions can be performed. Addition and multiplication over GF (22) is somewhat similar to that of calculations over GF (24). Addition operation resembles Ex-OR operation. Performing Ex-OR between the coefficients of like powers gives the result of addition operation.

   Usually multiplication is treated as successive addition. But the result of multiplication requires double memory resources than the actual data that is being multiplied. So modulo division is necessary to reduce the memory consumption.

   In the proposed implementation Boolean masking is applied outside of the round function of AES. AES involves four key operations in order to encrypt the data. Among those operations substitution of bytes step is the only non-linear operation. The remaining three are linear. Moreover Sub- Bytes operation is treated as heart of the encryption algorithm. As substitution of byte is very familiar to everyone and plays an important role in producing cipher text, the changes made to that portion will

   ensure security. In other words strength of the encryption algorithm depends on strength of Sub-Bytes step.

   Besides this applying mask to a non-linear operation involves different calculations that depends on mask. As the three operations namely add-round key, shift-rows, mix- columns are linear in nature they follow the rule given here.

   Shift-rows(xm)=Shift-rows(x)shift-rows(m)

   But the non-linear operation does not follow the above rule. For non-linear operations like SubBytes step, masking follows as below.

   s-box(xm) s-box(x) s-box(m)

   for this reason mask is applied outside of the s-box. After applying mask affine transformation is applied to the resultant equation. Affine transformation is of the form A(x)+b. Applying this transformation on both sides of masked output gives following result.

   estimation. At last de-masking has to be done to extract actual round key.

   Plain text

   Masking values

   Map to GF (22)

   AES block

   Key expansion block

   1 0 1

   1 1 1

   0 0 0 0 0

   1 1 1 1 0

   1

   Inv Map to GF (28)

   1

   Cipher text

   1	1	0	1	0	0	0	0	0
   0	1	0	0	0	1	1	1 r	0

   q

   1 1 0 1 1 0 0 0 0

   Fig 3: masked AES over GF (22)

   1 1

   1 0

   0 1 1 0 1 1

   0 0 0 1 1 0

   1

   1

   In order to be compatible the order of affine transformation

   0 1 1 1 1 0 1 0 1

   The above matrix is derived from the affine transformation function over GF (24). Where q=mapAmap-1 and

   and masking operations has been interchanged. After applying the affine transformation by resolving those equations the matrices correspond to GF (22) can be obtained. They are given below.

   r=mapb.

   Actual equation that corresponds to the affine transformation

   1 0

   0 1

   0 1 1

   0 0 1

   0 0 0

   1 0 0

   1

   1

   over GF (24) is

   0 0 1 0 0 1 0 0 0

   mapAmap-1(x+m)+mapb+mapAmap-1m.

   q 0 0 0 1

   0 0 1 0r 0

   where (x+m) is an input to the mask, m is a random mask

   0 0 0 0 1 0 0 1 0

   and b is a constant added in the transformation function.

   Figure3 illustrates the implementation of AES with optimized

   1 0

   0 1

   0 0 0 1 0 0

   0 0 0 0 1 0

   1

   0

   resource utilization. Here the masked values are mapped to the field of four elements i.e.GF (22). All the operations of

   0 0 1 0 0 0 0 1 1

   AES are performed over there.

   The expansion block plays an important role in the encryption algorithm. Normal AES involves key generation for each round of operation. Here in addition to that block key expansion is necessary as masking is applied to the actual data. The result of key expansion block contains the values produced by the EX-OR operation between actual round key and random mask. So to extract the secret key intruders need more computations which in turn changes the power

   Where q = mapAmap-1 and r = mapb. While de-masking the encrypted values the same Ex-OR operation is performed. Transformation back to GF (28) uses matrices corresponds to the field GF (28).

7. SYNTHESIS RESULTS

Table 1: synthesis report for the proposed implementation

The above tabulated results are obtained by synthesizing the logic using XILINX ISE 13.2. Hardware chosen for the synthesis is Vertex-6. By the observation of above result it is concluded that device utilization is optimized in the proposed implementation.

CONCLUSION

As area concern is important in VLSI implementations, to tackle such type of challenges an attempt is made in this paper. We have succeeded in achieving the expected result. Significant reduction in area has been showed in result.

REFERENCES

1. P. Kocher, J. Jaffe, and B. Jun, Differential Power Analysis, in proc. CRYPTO, 1999, vol. LNCS 1666, pp. 388-397.

2. F. X. Standaert, E. Peeters, G. Rouvroy, J.-J. Quisqqater, An Overview of Power Analysis Attacks Against FPGAs, in proc vol. 94 No.2, February 2006.

3. Wing Ng, Counter Measure for Differential Power Analysis Using Boolean Masking.

4. Rijndael, Advanced Encryption Standard.

5. Jovan D. Golic and Chrystophe Tymen, Multiplicative Masking and Power analysis of AES.

6. Yi Wang and Yajun Ha, FPGA Based 40.9 Gbits/s Masked AES With Area Optimization for Storage Area Network, vol. 60. No.1. January 2013.

7. GF (22) from wikipedia.org/wiki/Finite_field.