Design and Implementation of Low-Area and Low-Power AES Encryption Hardware Core
30 Aug 2006-pp 577-583
TL;DR: This paper presents an AES encryption hardware core suited for devices in which low cost and low power consumption are desired and constitutes of a novel 8-bit architecture and supports encryption with 128-bit keys.
Abstract: The Advanced Encryption Standard (AES) algorithm has become the default choice for various security services in numerous applications. In this paper we present an AES encryption hardware core suited for devices in which low cost and low power consumption are desired. The core constitutes of a novel 8-bit architecture and supports encryption with 128-bit keys. In a 0.13 im CMOS technology our area optimized implementation consumes 3.1 kgates. The throughput at the maximum clock frequency of 153 MHz is 121 Mbps, also in feedback encryption modes. Compared to previous 8-bit implementations, we achieve significantly higher throughput with corresponding area. The energy consumption per processed block is also lower.
Citations
More filters
2,687 citations
[...]
TL;DR: This work considers the resistance of ciphers, and LED in particular, to related-key attacks, and is able to derive simple yet interesting AES-like security proofs for LED regarding related- or single- key attacks.
Abstract: We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related- or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation.
848 citations
30 Aug 2009
TL;DR: A new family of very efficient hardware oriented block ciphers divided into two flavors, which is more compact in hardware, as the key is burnt into the device (and cannot be changed), and achieves encryption speed of 12.5 KBit/sec.
Abstract: In this paper we propose a new family of very efficient hardware oriented block ciphers. The family contains six block ciphers divided into two flavors. All block ciphers share the 80-bit key size and security level. The first flavor, KATAN, is composed of three block ciphers, with 32, 48, or 64-bit block size. The second flavor, KTANTAN, contains the other three ciphers with the same block sizes, and is more compact in hardware, as the key is burnt into the device (and cannot be changed).
The smallest cipher of the entire family, KTANTAN32, can be implemented in 462 GE while achieving encryption speed of 12.5 KBit/sec (at 100 KHz). KTANTAN48, which is the version we recommend for RFID tags uses 588 GE, whereas KATAN64, the largest and most flexible candidate of the family, uses 1054 GE and has a throughput of 25.1 Kbit/sec (at 100 KHz).
733 citations
15 May 2011
TL;DR: A very compact hardware implementation of AES-128, which requires only 2400 GE, is described, to the best of the knowledge the smallest implementation reported so far and is still susceptible to some sophisticated attacks having enough number of measurements.
Abstract: Our contribution is twofold: first we describe a very compact hardware implementation of AES-128, which requires only 2400 GE. This is to the best of our knowledge the smallest implementation reported so far. Then we apply the threshold countermeasure by Nikova et al. to the AES S-box and yield an implementation of the AES improving the level of resistance against first-order side-channel attacks. Our experimental results on real-world power traces show that although our implementation provides additional security, it is still susceptible to some sophisticated attacks having enough number of measurements.
479 citations
28 Sep 2011
TL;DR: Piccolo is one of the competitive ultra-lightweight blockciphers which is suitable for extremely constrained environments such as RFID tags and sensor nodes and its efficiency on the energy consumption which is evaluated by energy per bit is also remarkable.
Abstract: We propose a new 64-bit blockcipher Piccolo supporting 80 and 128-bit keys Adopting several novel design and implementation techniques, Piccolo achieves both high security and notably compact implementation in hardware We show that Piccolo offers a sufficient security level against known analyses including recent related-key differential attacks and meet-in-the-middle attacks In our smallest implementation, the hardware requirements for the 80 and the 128-bit key mode are only 683 and 758 gate equivalents, respectively Moreover, Piccolo requires only 60 additional gate equivalents to support the decryption function due to its involution structure Furthermore, its efficiency on the energy consumption which is evaluated by energy per bit is also remarkable Thus, Piccolo is one of the competitive ultra-lightweight blockciphers which are suitable for extremely constrained environments such as RFID tags and sensor nodes
457 citations
References
More filters
2,687 citations
"Design and Implementation of Low-Ar..." refers background in this paper
...Roundkey generation (key expansion) includes S-box substitutions, word rotations, and XOR operations performed on the encryption key....
[...]
...AES [11] is a symmetric cipher that processes data in 128-bit blocks....
[...]
...As Advanced Encryption Standard (AES) [11] is a standardized encryption algorithm and considered secure, it has become the default choice in numerous applications, including the standard wireless technologies IEEE 802.11i [9], IEEE 802.15.4 [8], and ZigBee [15]....
[...]
IBM1
TL;DR: Compact and high-speed hardware architectures and logic optimization methods for the AES algorithm Rijndael are described, including a new composite field and the S-Box structure is also optimized.
Abstract: Compact and high-speed hardware architectures and logic optimization methods for the AES algorithm Rijndael are described. Encryption and decryption data paths are combined and all arithmetic components are reused. By introducing a new composite field, the S-Box structure is also optimized. An extremely small size of 5.4 Kgates is obtained for a 128-bit key Rijndael circuit using a 0.11-µm CMOS standard cell library. It requires only 0.052 mm2 of area to support both encryption and decryption with 311 Mbps throughput. By making effective use of the SPN parallel feature, the throughput can be boosted up to 2.6 Gbps for a high-speed implementation whose size is 21.3 Kgates.
722 citations
11 Aug 2004
TL;DR: A novel approach of an AES hardware implementation which encrypts a 128-bit block of data within 1000 clock cycles and has a power consumption below 9 μA on a 0.35 μm CMOS process is introduced.
Abstract: Radio frequency identification (RFID) is an emerging technology which brings enormous productivity benefits in applications where objects have to be identified automatically This paper presents issues concerning security and privacy of RFID systems which are heavily discussed in public In contrast to the RFID community, which claims that cryptographic components are too costly for RFID tags, we describe a solution using strong symmetric authentication which is suitable for today’s requirements regarding low power consumption and low die-size We introduce an authentication protocol which serves as a proof of concept for authenticating an RFID tag to a reader device using the Advanced Encryption Standard (AES) as cryptographic primitive The main part of this work is a novel approach of an AES hardware implementation which encrypts a 128-bit block of data within 1000 clock cycles and has a power consumption below 9 μA on a 035 μm CMOS process
721 citations
"Design and Implementation of Low-Ar..." refers background in this paper
...According to our knowledge, only two 8-bit AES ASICs have previously been reported in the academic literature [4, 5]....
[...]
Journal Article•
TL;DR: In this article, the authors presented an authentication protocol which serves as a proof of concept for authenticating an RFID tag to a reader device using the Advanced Encryption Standard (AES) as cryptographic primitive.
Abstract: Radio frequency identification (RFID) is an emerging technology which brings enormous productivity benefits in applications where objects have to be identified automatically This paper presents issues concerning security and privacy of RFID systems which are heavily discussed in public In contrast to the RFID community, which claims that cryptographic components are too costly for RFID tags, we describe a solution using strong symmetric authentication which is suitable for today's requirements regarding low power consumption and low die-size We introduce an authentication protocol which serves as a proof of concept for authenticating an RFID tag to a reader device using the Advanced Encryption Standard (AES) as cryptographic primitive The main part of this work is a novel approach of an AES hardware implementation which encrypts a 128-bit block of data within 1000 clock cycles and has a power consumption below 9 μA on a 035 μm CMOS process
709 citations
29 Aug 2005
TL;DR: This work refines the most compact implementations of AES by examining many choices of basis for each subfield, not only polynomial bases as in previous work, but also normal bases, giving 432 cases to achieve a more compact S-box.
Abstract: A key step in the Advanced Encryption Standard (AES) algorithm is the “S-box.” Many implementations of AES have been proposed, for various goals, that effect the S-box in various ways. In particular, the most compact implementations to date of Satoh et al.[14] and Mentens et al.[6] perform the 8-bit Galois field inversion of the S-box using subfields of 4 bits and of 2 bits. Our work refines this approach to achieve a more compact S-box. We examined many choices of basis for each subfield, not only polynomial bases as in previous work, but also normal bases, giving 432 cases. The isomorphism bit matrices are fully optimized, improving on the “greedy algorithm.” Introducing some NOR gates gives further savings. The best case improves on [14] by 20%. This decreased size could help for area-limited hardware implementations, e.g., smart cards, and to allow more copies of the S-box for parallelism and/or pipelining of AES.
465 citations