JYOTHISMATHI INSTITUTE OF TECHNOLOGY & SCIENCES

NUSTULAPUR,KARIMNAGAR.
Department of Electronics and communication Engineering.

Data Security by AES for VLSI System

Design Using Verilog

Guided by, Presented by,

UMAPATHI A. SHRAVYA
Associate Professor M.TECH(VLSI)
18271D5710
• Introduction
• Chronology of AES Selection
• Overview of the AES Algorithm
• Layer Types
• Internal Structure of AES
• Implementation
• Future scope
• Conclusion
• Reference
 Some Basic Facts

• AES is the most widely used symmetric cipher today

• The algorithm for AES was chosen by the US National
Institute of Standards and Technology (NIST) in a
multi-year selection process
•The requirements for all AES candidate submissions
were:
•Block cipher with 128-bit block size
•Three supported key lengths: 128, 192 and 256
bit
•Security relative to other submitted algorithms
•Efficiency in software and hardware
3
 Chronology ofAES Selection

• The need for a new block cipher announced by

NIST in January, 1997
• 15 candidates algorithms accepted in August, 1998
•5 finalists announced in August, 1999:
•Mars – IBM Corporation
•RC6 – RSA Laboratories
•Rijndael – J. Daemen & V. Rijmen
• Serpent – Eli Biham et al.
• Twofish – B. Schneier et al.
• In October 2000, Rijndael was chosen as the AES
Chronology ofAES Selection

• AES was formally approved as a US federal

standard in November 2001
• In 1993, the NSA allows AES to encrypt classified
documents
• Up to SECRET for all key lengths
• Up to TOP SECRET for 192 and 256-bit keys
Overview of the AES Algorithm
AES: Overview

The number of rounds

depends on the chosen
key length:

Key Number
length of
(bits) rounds

128 10
192 12
256 14
AES: Overview

• Iterated cipher with

10/12/14 rounds

• Each round consists

of “Layers”
• Unline DES, all 128
bits are encrypted in
each round
 Three Layer Types

• Key Addition Layer

• A 128-bit round key (or subkey)
• Derived from the main key in the key schedule
• XORed to the state
• Byte Substitution Layer (S-Box)
• Nonlinear transformation using lookup tables
• Introduces confusion to the data
• (Obscures relationship between key and
ciphertext)
 Three Layer Types

• Diffusion Layer
• Two sublayers: ShiftRows and MixColumn
• (Makes sure that changing one plaintext bit
affects many ciphertext bits)
Video: Link Ch 4a
Internal Structure of AES
 Internal Structure of AES

• AES is a byte-oriented cipher

• The state A (i.e., the 128-bit data path) can be
arranged in a 4x4 matrix:

A0 A4 A8 A12
A1 A5 A9 A13
A2 A6 A10 A14
A3 A7 A11 A15

with A0,…, A15 denoting the 16-byte input of AES

 Round function for rounds 1,2,…,nr-1:

Byte Substution Layer

(S-Box)

Diffusion
Layer

• Note: In the last round,

Key Addition Layer the MixColumn
transformation is
omitted
 Byte Substitution Layer
15
• The Byte Substitution layer consists of 16 S-Boxes with the
following properties:
The S-Boxes are
• identical
• the only nonlinear elements of AES, i.e.,
ByteSub(Ai) + ByteSub(Aj) ≠ ByteSub(Ai + Aj), for i,j = 0,…,15
• bijective, i.e., there exists a one-to-one mapping of input
and output bytes
‹ S-Box can be uniquely reversed
• In software implementations, the S-Box is usually realized as
a lookup table
S-Box
16
Diffusion Layer
• provides diffusion over all input17state bits

• consists of two sublayers:

• ShiftRows Sublayer: Permutation of the data on a byte
level
• MixColumn Sublayer: Matrix operation which combines
(“mixes”) blocks of four bytes

• performs a linear operation on state matrices A, B, i.e.,

DIFF(A) + DIFF(B) = DIFF(A + B)
 ShiftRows Sublayer
18
• Rows of the state matrix are shifted cyclically:

B0 B4 B8 B12
B1 B5 B9 B13
Input matrix B2 B6 B10 B14
B3 B7 B11 B15

B0 B4 B8 B12 no shift
B5 B9 B13 B1 ← one position left shift
Output matrix B10 B14 B2 B6 ← two positions left shift
← three positions left shift
B15 B3 B7 B11
MixColumn Sublayer
19
• Linear transformation which mixes each column of the state
matrix

• Each 4-byte column is considered as a vector and multiplied by

a fixed 4x4 matrix, e.g.,
 Key Addition Layer
20

• Inputs:
• 16-byte state matrix C
• 16-byte subkey ki
• Output: C  ki
• Combined with XOR
• The subkeys are generated in the key
schedule
 Key Schedule
• Subkeys are derived recursively from the
original 128/192/256-bit input key
• Each round has 1 subkey, plus 1 subkey at the
beginning of AES

Key length (bits) Number of subkeys

128 11
192 13
256 15

• Key whitening: Subkey is used both at the input and output of

AES
 # subkeys = # rounds + 1
• There are different key schedules for the different key sizes
 Key Schedule
22
Example: Key schedule for 128-bit keyAES

• Word-oriented: 1 word =
32 bits
• 11 subkeys are stored
in W[0]…W[3], W[4]…
W[7], … , W[40]…W[43]

• First subkey W[0]…W[3]

is the original AES
key
 Key Schedule
23
• Function g rotates its four input bytes and performs
a bytewise
S-Box substitution
 nonlinearity

• The round coefficient RC is only added to the

leftmost byte and varies from round to round:

RC[1] = x0 = (00000001)2 RC[2] = x1 = (00000010)2 RC[3] = x2 =

(00000100)2

...
RC[10] = x9 = (00110110)2
Implementation
 Implementation in Software
25

 One requirement of AES was the possibility of an efficient software

implementation
 Straightforward implementation is well suited for 8-bit processors (e.g.,
smart cards), but inefficient on 32-bit or 64-bit processors
 A more sophisticated approach: Merge all round functions (except the
key addition) into one table look-up
This results in four tables with 256 entries, where each entry is 32
bits wide
One round can be computed with 16 table look-ups
 Typical SW speeds are more than 1.6 Gbit/s on modern 64-bit processors
Security
26
• Brute-force attack: Due to the key length of 128, 192
or 256 bits, a brute-force attack is not possible
• Analytical attacks: There is no analytical attack
known that is better than brute-force
• Side-channel attacks:
• Several side-channel attacks have been published
• Note that side-channel attacks do not attack the
underlying algorithm but the implementation of it
AES in Python
Simulation Result
 Future scope

 Advanced Encryption Standard (AES) is the most

secure symmetric encryption technique that has
gained worldwide acceptance.
 The AES is an efficient cryptographic technique that
includes generation of ciphers for encryption and
inverse ciphers for decryption.
 Conclusion

A FPGA implementation of area-optimized

AES algorithm which meets the actual
application is proposed

 The design with the pipelining technology and

special data transmission mode can optimize
the chip area effectively.
 Reference

 [1] J.Yang, J.Ding, N.Li and Y.X.Guo,“FPGA-based design and implementation of reduced
AES algorithm” IEEE Inter.Conf. Chal Envir Sci Com Engin(CESCE).,Vol.02, Issue.5-6,
pp.67 70, Jun 2010.
 [2] A.M.Deshpande, M.S.Deshpande and D.N.Kayatanavar,“FPGA Implementation of AES
Encryption and Decryption”IEEE Inter.Conf.Cont,Auto,Com,and Ener., vol.01,issue04, pp.1-
6,Jun.2009.
 [3] Hiremath.S. and Suma.M.S.,“Advanced Encryption Standard Implemented on FPGA”
IEEE Inter.Conf. Comp Elec Engin.(IECEE),vol.02,issue.28,pp.656-660,Dec.2009.
 [4] Abdel-hafeez.S.,Sawalmeh.A. and Bataineh.S.,“High Performance AES Design using
Pipelining Structure over GF(28)” IEEE Inter Conf.Signal Proc and Com.,vol.24-27, pp.716-
719,Nov. 2007.
 [5] Rizk.M.R.M. and Morsy, M., “Optimized Area and Optimized Speed Hardware
Implementations of AES on FPGA”, IEEE Inter Conf. Desig Tes Wor.,vol.1,issue.16,pp.207-
217, Dec. 2007.
 [6] Liberatori.M.,Otero.F.,Bonadero.J.C. and Castineira.J. “AES-128 Cipher. High Speed,
Low Cost FPGA Implementation”, IEEE Conf. Southern Programmable
Logic(SPL),vol.04,issue.07,pp.195-198,Jun. 2007.