D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and                   Applications (IJERA) IS...
D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and                  Applications (IJERA) ISS...
D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and                    Applications (IJERA) I...
D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and                      Applications (IJERA)...
D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and                           Applications (I...
D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and                     Applications (IJERA) ...
D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and                     Applications (IJERA) ...
D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and                   Applications (IJERA) IS...
D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and                    Applications (IJERA) I...
Upcoming SlideShare
Loading in …5



Published on

IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 5, September- October 2012, pp.500-508 An Area Efficient High Speed Fault Detection Scheme For Advanced Encryption Standard Using Composite Fields D.V.Nageswara Rao#1 P.Sunitha*2 # * M.Tech,VLSI System Design, Assoc. Professor,M.Tech, Pragati Engineering College. Pragati Engineering College.Abstract: In this paper, we present a lightweight description language. A unique feature of the designconcurrent fault detection scheme for the AES. proposed in this project is that the round keys, whichThe selection of appropriate fault detection are consumed during different iterations ofscheme for the AES makes it robust to internal encryption, are generated in parallel with thedefects and fault attacks. In the proposed encryption process.approach, the composite field S-box and inverseS-box are divided into blocks and the predicted B. Languageparities of these blocks are obtained. By using The hardware model was then completelyexhaustive searches We obtained the optimum verified using a test bench, which took advantage ofsolutions for the least overhead parity-based fault the Verilog, is programming feature, by constructingdetection structures. It suggests both the ASIC random test objects and providing them to the model.and FPGA implementations of the fault detection Then, the verified model was synthesized using thestructures using the obtained optimum composite Synopsis Design-Compiler tool to get an estimate offields, have better hardware and time the number of gates, area and timing of the hardwarecomplexities compared to their counterparts. model. Finally, the performances of software and hardware implementations were compared.Keywords: AES (Advanced EncryptionStandard), ASIC (application-specific integrated C. Finite Fieldscircuit), FPGA (field-programmable gate-array). In this section, the preliminaries on finite fields (also known as Galois fields) used in theI INTRODUCTION subsequent sections are presented. The detailed In today‟s digital world, encryption is description of these fields can be found in a numberemerging as a disintegrable part of all of publications, see for example [8] and [9].communication networks and information processing According to Lin and Costello in [19], the definitionsystems, for protecting both stored and in transit of a finite field is as follows. Let F be a set ofdata. elements on which two binary operations of addition and multiplication, shown by “ + ” and “ · ”,A. Drawbacks of Software respectively, are defined. Then, the set F and these There are other important drawbacks in operations construct a finite field if the followingsoftware implementation of any encryption conditions are satisfied:algorithm, including lack of CPU instructions 1. The set F be commutative under addition. Theoperating on very large operands, word size identity element in addition is zero.mismatch on different operating systems and less 2. The non-zero elements of set F be commutativeparallelism in software. In addition, software under multiplication. The identity element inimplementation does not fulfill the required speed for multiplication is one.time critical encryption applications. Thus, hardware 3. Multiplication be distributive over addition, i.e.,implementation of encryption algorithms is an for a, b and c in set F we have a · (b + c) = a · b +important alternative, since it provides ultimate a · c.secrecy of the encryption key, faster speed and more 4. The number of elements in the field be finite. Inefficiency through higher levels of parallelism. the AES, the irreducible polynomial of P(x) = x^8 + x^4 + x^3 + x + 1 is used to construct GF(2^8).II. ENCRYPTION METHODS Each element in GF(2^8) is represented by a A. Key Based Approach polynomial of degree 7, having 8 coefficients in Different versions of AES algorithm exist GF(2). Furthermore, all the field operations aretoday (AES128, AES196, and AES256) depending carried out using the above mentioned irreducibleon the size of the encryption key. In this project, a polynomial.hardware model for implementing the AES128 D. Cryptosystems and Public key cryptographyalgorithm was developed using the Verilog hardware Cryptography is the process of encrypting the plain text into an incomprehensible cipher text by the 500 | P a g e
  2. 2. D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 5, September- October 2012, pp.500-508process of Encryption and the conversion back to encryption/decryption acts on its 128-bit input whichplain text by process of Decryption. is considered as a four by four matrix, called state,Most encryption algorithms are based on 2 general whose entries are eight bits. The transformations inprinciples, each round of encryption except for the last round1. Substitution, in which each element in plain text are as follows: is mapped to some other element to form the i. SubBytes: The first transformation in each round is cipher text the bytes substitution,called SubBytes, which is2. Transposition, in which elements in plaintext are implemented by 16 S-boxes. These S-boxes are rearranged to form cipher text. nonlinear transformations which substitute the 128-3. bit input state with a 128-bit output state. In the S-E. Number of keys used box, each byte of the state (Ii in Figure 2.1) is substi- If both the sender and the receiver use a 10 tuted by a new byte (Bi in Figure 2.1). S-box willsame key then such a system is referred to as be explained in detail in the next section.Symmetric, single-key, secret-key or conventional ii.ShiftRows: ShiftRows is the secondencryption. If the sender and receiver use different transformation in which the four bytes of the rows ofkeys, then such a system is called Asymmetric, Two- the input state are cyclically shifted to the left and thekey, or public-key encryption.Processing of Plain first row is left unchanged as shown in the leftmosttext: A Block cipher processes the input one block at part of Figure 2.1. The number of left shifts for eacha time, producing an output block for each input row is equal to the number of that row. Let us denoteblock. A Stream cipher processes the input elements rows as rowi where, i, 0 ≤ i ≤ 3, is the row number.continuously producing output elements on the fly. Then, for row0 no shift, for row1 one shift, for row2Most of the cryptographic algorithms are either two shifts and for row3 three shifts are required.symmetric or asymmetric key algorithms. iii. MixColumns: The third transformation is Mixcolumns in which each entry in the output state1. Secret Key Cryptography is constructed by the multiplication of a column in This type of cryptosystem uses the same the input state with a fixed polynomial over GF(2^8).key for both encryption and decryption. Some of the The output state is obtained by multiplying theadvantages of such a system are columns of the input state modulo x^4 + 1 with the - Very fast relative to public key fixed polynomial of a(x) = cryptography (03)x^3+(01)x^2+(01)x+(02), where the coefficients - Considered secure, as long as the key is are inhexadecimal form. The matrix representation of strong Mixcolumns is shown in Figure 2.1. As seen in thisSymmetric key cryptosystems have some figure, the output state is constructed by multiplyingdisadvantages too. Exchange and administration of the entries of the input state by a fixed matrix whosethe key becomes complicated. Non-repudiation is not entries are in the hexadecimal form.possible. Some of the examples of Symmetric key iv.AddRoundKey: The final transformation iscryptosystems include DES, 3-DES, RC4, RC5 etc. AddRoundKey which XORs the input state with the key of that round, i.e., ki, 0 ≤ i ≤ 10. The AES key2. Public Key Cryptography expansion unit in Figure 2.1 takes the 128-bit This type of cryptosystems uses different original key, k0, as input and produces a linear arraykeys for encryption and decryption. Each user has a of expanded keys, k1 to k10. Each key is added topublic key, which is known to all others, and a the input by 128 two-input XOR gates. Among theprivate key, which remains a secret. The private key four transformations in the encryption and decryptionand public key are mathematically linked. of AES, only S-box for encryption and inverse S-boxEncryption is performed with the public key and the for decryption are nonlinear and complex operations.decryption is performed with the private key. Public Furthermore, not only is the S-box one of the fourkey cryptosystems are considered to be very secure round transformations, but it is also used in the keyand supports Non-repudiation. No exchange of keys expander unit which generates the keys used in theis required thus reducing key administration to a AES rounds. Therefore, the implementations of theseminimum. But it is much slower than Symmetric key two transformations affects the implementation of thealgorithms and the cipher text tend to be much larger whole AES tremendously. Later in this chapter, thethan plaintext. Some of the examples of public key im-11 plementation variations of the S-box andcryptosystems include Diffie-Hellman, RSA and inverse S-box including the composite fieldElliptic Curve Cryptography. implementations are explained in detail.III. AES ROUNDS AND IV. SECURITY OF AES TRANSFORMATIONS Three possible approaches to attacking the AES Here we briefly explain the four algorithm are as follows:transformations of each round of the encryption.  Brute Force: This involves trying out all theEach transformation in every round of possible private keys. 501 | P a g e
  3. 3. D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 5, September- October 2012, pp.500-508 Mathematical attacks: There are several Input Bytes State Array Output Bytes approaches, all equivalent in effect to factoring the product of 2 primes. in0 in4 in8 in12 s0,0 s0,1 s0,2 s0,3 out0 out4 out8 out12 Timing attacks: These depend on the running time of the decryption algorithm. in1 in5 in9 in13 s1,0 s1,1 s1,2 s1,3 out1 out5 out9 out13 Choosing large p and q values can preventsuch attacks. Security of RSA thus lies in choosing in2 in6 in10 in14 s2,0 s2,1 s2,2 s2,3 out2 out6 out10 out14the value n, which makes such attacks extremelydifficult. in3 in7 in11 in15 s3,0 s3,1 s3,2 s3,3 out3 out7 out11 out15V. PROPOSED SYSTEM In our proposed approach we introduce fault Figure 1 – State Population and Resultsdetection not only in S-box and Inverse S-box and At the beginning of the cipher, the inputalso in all other five levels in order to find the most array is copied into the State according the followingoptimum solutions and we also analyzed all required scheme:parameters to proved that the proposed system is not s[r,c] = in [r + 4c]for 0  r  4 and 0  c  4 ,only effective in fault detection and also give proper and at the end of the cipher the State is copied intoefficiency in speed, power and area through the output array as shown below:hardware implementation. out[r+4c] = s[r,c] for 0  r  4 and 0  c  4 Key Block Number of AES Length Size VI. CIPHER TRANSFORMATIONS RoundsVersion (Nk (Nb The AES cipher either operates on (Nr rounds) words) words) individual bytes of the State or an entire row/column.AES128 4 4 10 At the start of the cipher, the input is copied into theAES192 6 4 12 State as described in Section 2.2. Then, an initial Round Key addition is performed on the State.AES256 8 4 14 Round keys are derived from the cipher key using the Key Expansion routine. The key expansionTable 1 – AES Variations routine generates a series of round keys for each The basic processing unit for the AES round of transformations that are performed on thealgorithm is a byte. As a result, the plaintext, cipher State.text and the cipher key are arranged and processed as The transformations performed on the statearrays of bytes: are similar among all AES versions but the number Block length = 128 bits, 0 <= n < 16 of transformation rounds depends on the cipher key Key length = 128 bits, 0 <= n < 16 length. Key length = 192 bits, 0 <= n < 24 A. Subbytes ( ) Transformation Key length = 256 bits, 0 <= n < 24 The SubBytes is a byte substitution All byte values in the AES algorithm are operation performed on individual bytes of the State,presented as the concatenation of their individual bit as shown in Figure 3, using a substitution tablevalues between braces in the order {b7, b6, b5, b4, called S-box.b3, b2, b1, b0}. These bytes are interpreted as finitefield elements using a polynomial representation: State Array S-box State Array 7b7 x  b6 x  b5 x  b4 x  b3 x  b2 x  b1 x  b0 x   bi x s’0,0 s’0,1 s’0,2 s’0,3 7 6 5 4 3 i i 0 s0,0 s0,1 s0,2 s0,3 All the AES algorithm operations areperformed on a two dimensional 4x4 array of bytes s1,0 ss1,1 s1,2 s1,3 s’1,0 ss’1,1 s’1,2 s’1,3 ’ 1,1 1,1 s 2,0 s 2,1 s’2,2 s’2,3 ’ ’which is called the State, and any individual bytewithin the State is referred to as sr,c, where letter „r‟ s2,0 s2,1 s2,2 s2,3represent the row and letter „c‟ denotes the column.At the beginning of the encryption process, the Stateis populated with the plaintext. Then the cipher s3,0 s3,1 s3,2 s3,3 s’3,0 s’3,1 s’3,2 s’3,3performs a set of substitutions and permutations onthe State. After the cipher operations are conductedon the State, the final value of the state is copied tothe cipher text output as is shown. Figure 2 – SubBytes Transformation The invertible S-box table is constructed by performing the following transformation on each byte of the State. [1] 502 | P a g e
  4. 4. D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 5, September- October 2012, pp.500-508 - Take the multiplicative inverse in the finite term polynomial the finite field GF(28). Each field GF(28) of the byte. columns is multiplied modulo x4+1 with a fixed four- - Apply the following transformation to the term polynomial a(x) = {03}x3 + {01}x2 + {01}x + byte: {02} over the GF(28). The MixColumnsbi  bi  b(i4) mod8  b(i5) mod8  b(i6) mod8  b(i7) mod8  ci transformation can be expressed as a matrix multiplication as shown below: The bi is the ith bit of the byte and ci is the ithbit of a constant byte with the value of {63}. Thecombination of the two transformations can be  s 0,c  02 03 01 01  s 0,c      expressed in matrix form as shown below:  s1,c    01 02 03 01  s 0,c  b0  1 0 0 0 1 1 1 1 b0  1         s 2,c   01 01 02 03  s 0,c  b1  1 1 0 0 0 1 1 1  b1  1     b2  1 1 1 0 0 0 1 1 b2  0  s3,c  03   01 01 02  s 0,c          The MixColumns transformation replacesb3   1 1 1 1 0 0 0 1 b3   0b  1 1 1 1 1 0 0 0 b4  0 the four bytes of the processed column with the 4      following values:b5  0 1 1 1 1 1 0 0 b5  1 b  0 0 1 1 1 1 1 0 b  1 s0,c  ({02}  s0,c )  ({03}  s1,c )  s2,c  s3,c  6   6     b7  0 0 0 1 1 1 1 1 b7  0     s1 ,c  s0,c  ({02}  s1,c )  ({03}  s2,c )  s3,c s0,c  s0,c  s1,c  ({02}  s2,c )  ({03}  s3,c ) Table-2 SubBytes Transformation The S-box table shown in Table 2 is s1,c  ({03}  s0,c  s1,c )  s2,c  ({02}  s3,c ) constructed by performing the two transformations For the AES algorithm the irreducibledescribed earlier for all possible values of a byte, polynomial is:ranging from {00} to {ff}. For example the m(x) = x8 + x 4 + x3 + x +1.[1]substitution value for {53} would be determined by The MixColumns transformation isthe intersection of the row with index „5‟ and the illustrated in Figure 4. This transformation togethercolumn with index „3‟. with ShiftRows, provide substantial diffusion in the cipher meaning that the result of the cipher dependsB. Shiftrows ( ) Transformation on the cipher inputs in a very complex way. In other The ShiftRows transformation cyclically words, in a cipher with a good diffusion, a single bitshifts the last three rows of the state by different change in the plaintext will completely change theoffsets. The first row is left unchanged in this cipher text in an unpredictable manner.transformation. Each byte of the second row isshifted one position to the left. The third and fourthrows are shifted left by two and three positions, MixColumnsrespectively. The ShiftRows transformation isillustrated in Figure 3. S0,1 S’0,1 ShiftRows s0,0 s0,1 s0,2 s0,3 s0,0 s0,1 s0,2 s0,3 ’ S 1,1 State Array State Array s1,0 S1,1 s1,2 s1,3 s1,1 s1,1 s1,2 s1,3 s1,0 ’ s0,0 s0,1 s0,2 s0,3 s2,0 S2,1 s2,2 s2,3 s s2,2 S2,3 s2,0 s2,1 s 2,1 s0,0 s0,1 s0,2 s0,3 s3,0 S3,1 s3,2 s3,3 s s’3,1 s3,3 S3,0 s3,1 s3,2 s1,0 s1,1 s1,2 s1,3 s1,1 s1,2 s1,3 s1,0 3,1 s2,0 s2,1 s2,2 s2,3 s2,2 s2,3 s2,0 s2,1 State Array State Array s3,0 s3,1 s3,2 s3,3 s3,3 s3,0 s3,1 s3,2 Figure 4 – MixColumns Transformation D. Addroundkey ( ) Transformation: During the AddRoundKey transformation,Figure 3 – ShiftRows Transformation the round key values are added to the State by means of a simple Exclusive Or (XOR) operation. EachC Mixcolumns ( ) Transformation round key consists of Nb words that are generated This transformation operates on the from the KeyExpansion routine. The round keycolumns of the State, treating each columns as a four 503 | P a g e
  5. 5. D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 5, September- October 2012, pp.500-508values are added to the columns of the state in the start with single bit faults injected into the data blockfollowing way: at the beginning of the rounds; i.e., faults are nots 0, c    , s1 ,c , s 2,c , s3,c  s0,c , s1,c , s 2,c , s3,c  wround *Nb c  injected between the round transformations. Six types of tests have been performed with data block for 0  c  N b and key of 128 bits. In the equation above, the round value is 1. 5000 data blocks were selected randomly and abetween 0  round  N r . When round=0, the single bit error was injected into every position of the data block at each of the 10 rounds. The totalcipher key itself is used as the round key and it number of tests of this type has been 5000 x 10 xcorresponds to the initial AddRoundKey 128 = 6.4 x 106. All these tests used the sametransformation displayed in the pseudo code in secret key. Our parity bits scheme detected all theFigure 2. faults.The AddRoundKey transformation is illustrated in 2. 5000 secret keys were randomly selected and usedFigure 5. with the same 128-bit data block. The same single AddRoundKey bit errors as in (1) were injected for a total of 6.4  x 106 tests. Here too, all the faults were detected by our parity scheme. 3. 100 random secret keys and 1000 random data l = round * Nb S3,1 S’0,1 block were selected and every data block wass0,0 s0,1 s0,2 s0,3 s0,0 s0,1 s0,2 s0,3 encrypted with each secret key. 1280 single bit S1,1 S’1,1 errors were injected into every encryption for as1,0 s1,1 s1,2 s1,3 s1,1 s1,2 s1,3 s1,0 total of 1.28 x 108 tests. All the faults were Wl+c ’s2,0 S2,1 s2,2 s2,3 s s2,2 S2,3 s2,0 s2,1 s 2,1 detected. In the above three types of tests the paritys3,0 S3,1 s3,2 s3,3 s3,1 s3,3 S3,0 s3,1 s3,2 s’3,1 check was performed at the end of the tenth round. In the next type of tests the parity check was instead done at the end of the round. State Array Round Keys State Array 4. 5 x 105 random data blocks were selected and a single bit error was injected in each position ofFigure 5 – AddRoundKey Transformation the data block. A single round was then performed yielding 100% fault coverage. TheVII. FAULT DETECTION IN AES total number of tests of this type was 5 x 105 x For fault detection of the encryption or 128 = 6.4 x 107.decryption in AES one may use redundant units [12], The last two types of tests considered a[8]. In [6] algorithm-level, round-level and single simplified round consisting only of SubBytesoperation-level concurrent error detection for the and MixColumns since these transformations affectAES are used. In the algorithm-level, comparing the the error propagation in the most complex way. Theplain text with the output of a decryption after an parity check was performed at the end of theencryption is proposed. The round-level error (simplified) round. The observed fault coverage hasdetection uses similar ideas in the rounds, where, the again been 100%.output of a round in encryption is applied to a round 5. 256 32-bit data words of the type (xOOO)8w erein decryption and is compared with the input. The considered and a single bit error was injected intooperation-level (or transformation-level) error the first byte ( the one that is varying) .The totaldetection uses the inversion of a transformation in number of tests of this type was 256 x 8 = 2048.each round and compares the output with the input. All the faults were detected.Figure 2.5a shows the operation-level concurrent 6. 1000 128-bit random data blocks were selectederror detection for S-box and inverse S-box and a single bit error was injected in each positionpresented in [12]. In this figure, the 8-bit input I of of the data block. The number of tests of this typethe S-box (8-bit input B of the inverse S-box) is was 1000 x 128 = 1.28 x 104. Again, all thecompared with the output of two consecutive injected faults were detected.transformations, S-box and inverse S-box (inverse S- These six types of tests strongly suggest thatbox and S-box) using an 8-bit comparator to generate the parity-based EDC achieves a 100% faultthe error indication flag. coverage for single bit faults. In fact, it can be proven that: The proposed parity-based EDC with a singleFault coverage of the proposed parity code: checkpoint scheduled at the end of the last round is capable of detecting every single bit fault injected In this section we describe the results of into the data block in the Encryption module, at theextensive simulation experiments which were carried beginning of the rounds or between two roundout to evaluate the fault coverage of the proposed transformations. The proof had to be omitted for theparity EDC scheme for the Encryption module. We sake of brevity. In this proof, however, we only 504 | P a g e
  6. 6. D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 5, September- October 2012, pp.500-508considered single faults injected at the beginning of the „Ld‟ signal, which indicates that a valid set ofan encryption round, at the inputs of one of the four plaintext and cipher key is available on the inputround transformations. ports. After reaching the r0 state, there is a transition on every clock cycle for the next ten cycles, as ten rounds of encryption is applied to the State.WORKING OF PROJECT After going through ten rounds of A. Design Hierarchy transformations, the „done‟ signal is asserted to The proposed AES128 hardware model is a indicate the completion of cipher and availability of3-level hierarchical design as shown in Figure 6. the ciphertext on the corresponding output port.The root module in the hierarchy is the ↑clk ↑clk r2AES128_cipher_top. This module implements the ↑clk ↑clkAES128 pseudo code displayed in Figure 2. It has r1 r3two 128-bit inputs for receiving the cipher key andthe plaintext. There is also a single bit input signal, Ld r0 r4 !rst ↑clk„Ld‟, which is used to indicate the availability of anew set of plaintext or cipher key on the input ports. rst Wait for !Ld Reset r5The completion of the encryption process is Ldindicated by asserting the „done‟ single bit output. ↑clk ↑clk r10 r6 States Outputs --------------- -------------- r9 r7 R0 … R9 done=0 ↑clk ↑clk ciphertext= z R10 done=1 r8 ciphertext= <valid> ↑clk ↑clk AES128_Cipher_Top ciphertext Figure 7 – AES128_Cipher_Top Module State plaintext 128 b 128 b Diagram cipherkey 128 b C. AES128 Round Key Generation ld The round keys used by the rst done AES128_Cipher_Top module are generated based on AES128_Rcon clk the state diagram shown in Figure 8. The AES128_Key_Expand AES128_Key_Expand and the AES128_RCon modules are responsible for generating the round keys. These two modules operate based on the state diagram shown in Figure 10, which is slightly different than the one used for the encryption process.Figure 6 – Design Hierarchy ↑clk ↑clk r2 A unique feature of the proposed design is Ld ↑clk r1 r3that the AES128_Key_Expand module is pipelinedwith the AES128_cipher_top module. While the ↑clk r0 !Ld r4 rstAES128_cipher_top module is performing aniteration of the encryption transformations on theState using the previously generated round keys, the !rst Reset ↑clk r5AES128_Key_Expand produces the next round‟s set ↑clkof keys to be used by the root module in the next r10 r6encryption iteration. ↑clk ↑clk States Outputs · r9 r7B. AES128 Encryption Process --------------- R0 … R10 --------------------------------- w0 = roundkey(Round*i) The AES128_cipher_top module state w1 = roundkey(Round*i+1) w2 = roundkey(Round*i+2) ↑clk r8 ↑clkdiagram is shown in Figure 7. There are ten rounds w3 = roundkey(Round*i+3)of transformations represented by r1 to r10 states.The four cipher transformations introduced in section Figure 8 – AES128_Key_Expand Module State2.3 are applied to each state. The r0 state Diagramcorresponds to the initial AddRoundKey In the state diagram shown above, the „Ld‟transformation in Figure 2. signal is checked in the „r0‟ state and if asserted, After leaving the Reset state, the then the cipher key is provided to theAES128_Cipher_Top module waits for assertion of AES128_Cipher_Top module to be used for the initial AddRoundKey transformation. 505 | P a g e
  7. 7. D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 5, September- October 2012, pp.500-508 The AES128_Key_Expand module hierarchy that needs to be synthesized. Since thegenerates four 32-bit keys for each round of the RTL model utilizes a Verilog “Package”, then theencryption process, by using the cipher key. Figure synthesis tool needs to enable the semantics of a9 shows the block diagram of the package. In addition, the synthesis tool needs toAES128_Key_Expand module. The cipher key is know if there are multiple instances of calling anpassed to this module through a 128-bit input port, automatic function in the design, to preserve separateand the round keys are generated on the four output values for each instance.ports. After reading the design files, they are “Analyzed” and “Elaborated” through which the RTL code is converted into the Synopsys Design Compiler(SDC) internal format. [6] The intermediate results are stored in the defined “working library”. After this step, a 40MHz clock signal is 32 b w0 applied to the clock port of the root module, and the cipherkey 128 b synthesis tool is programmed not to modify the clock AES128_Key_Expand 32 b w1 tree during the optimization phase. In addition, an ld arbitrary input delay of 5ns with respect to the clock rst 32 b w2 clk port is applied to all input and output ports (except 32 b w3 the clock port itself) to set a safe margin by considering any unintended source of delay such as the delay associated with driving module/modules. Then, the design is constrained with hypothetical maximum area equal to zero to force theFigure 9 – AES128_Key_Expand Module tool to make the gate level netlist as compact as There is a 32-bit round constant value, possible.which is used by the key expansion algorithm to In the next steps, the tool is programmed togenerate the round keys. This value varies for each consider a unique design for each cell instance byencryption round and for Nr=1 to Nr=10 is given by removing the multiply-instantiated hierarchy in the[{02}i-1,{00},{00},{00}]. The AES128_RCcon current design. Then, the synthesis script removesmodule is used to generate this value as shown in the boundaries from all the components in the designFigure 10. The AES128_RCon module also operates hierarchy and removes all levels of hierarchy.based on the state diagram shown in Figure 10. Finally, the tool compiles the design with high effort and reports any warning related the mapping and final optimization step. At the end, the tool generates reports for the optimized gate level netlist area, the worst combinational path timing, and any violated design constraint. ld AES128_RCon 32 b rcon B. Synthesis Timing Result: rst The synthesis tool optimizes the clk combinational paths in a design. In General, four types of combinational paths can exist in any design: [3] 1- Input port of the design under test toFigure 10 – AES128_Rcon Module input of one internal flip-flip 2- Output of an internal flip-flip to inputD. S-box of another flip-flip The structure of the S-box is divided into 5 3- Output of an internal flip-flip to outputblocks and the parity of each block is predicted as a port of the design under testfunction of inputs to that block. The formulations for 4- A combinational path connecting thethe predicted parities as functions of inputs are input and output ports of the designobtained in this section. Since there exist three finite under testfield multipliers using GF(((2^2)^2)^2)2. The last DC command in the script developed in previous section, instructs the tool toVIII. IMPLEMENTATION OF report the path with the worst timing. In this case,ALGORITHM the path with the worst timing is a combinational path of type two. The delay associated with this pathA. Synthesis Methodology The first step in the synthesis process is to is the summation of delays of all combinational gates in the path plus the Clock-To-Q delay of theread all the components in the design hierarchy.There are three components in the 3-level design originating flip-flop, which was calculated as 506 | P a g e
  8. 8. D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 5, September- October 2012, pp.500-50824.09ns. By considering the setup time of thedestination flip-flop in this path, which is 0.85ns, the ii. Performance Report40MHz clock signal satisfies the worstcombinational path delay. The delays ofcombinational gates, setup time of flip-flops andClock-To-Q values are derived from the LSI_10klibrary file that was used for the mapping step duringsynthesis. The synthesis timing report is shownbelow:C. Synthesis Area Result The synthesis area report shows the totalnumber of cells and nets in the netlist. It also uses thearea parameter associated with each cell in theLSI_10K library file, to calculate the totalcombinational and sequential area of the netlist. The Figure 12.Fmax. Summary report of slow carner.total area of the gate level netlist is unknown since it iii. Performance Reportdepends on total area of the inter connects, whichitself is a function of the wiring load model used inphysical design. The total cell area in the netlist isreported as 22978 units, which is the sum ofcombinational and sequential areas. The synthesisarea report is shown belowD. Synthesis Constraint Violators To enforce the synthesis tool to create themost compact netlist, the area of the gate level netlistwas constrained to zero during the synthesis process.As a result, the only constraint violation, which isexpected, is related to the area as shown bellowIX. RESULT AND DISCUSSION Figure 13.Fmax. summary report of fast carner. i. Area Utilization Report iv. Synthesis Report Figure 14. RTL Schematic reportFigure 11. Simulated output. 507 | P a g e
  9. 9. D.V.Nageswara Rao, P.Sunitha / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue 5, September- October 2012, pp.500-508v. Map Viewer Encryption Standard,” AES algorithm submission, June 1998. [3] G. Bertoni, L. Breveglieri, I. Koren, P. Maistri, and V. Piuri, “Error Analysis and Detection Procedures for a Hardware Implementation of the Advanced Encryption Standard,” IEEE Trans. on Computers, vol. 52, no. 4, pp. 492-505, April 2003. [4] G. Bertoni, L. Breveglieri, I. Koren, and P. Maistri, “An efficient hardwarebased fault diagnosis scheme for AES: performances and cost,” In Proc. of the IEEE International Symposium on Defect and Fault Tolerance in VLSI Systems (DFT2004), Cannes,Fig 15. Technology map viewer France, pp. 130-138, Oct. 2004. [5] D. Boneh, R. A. DeMillo, and R. J. Lipton,vi. Power Analyzes “On the Importance of Eliminating Errors in Cryptographic Computations,” Journal of Cryptology, vol. 14, no. 2, pp. 101-119, 2001. [6] L. Breveglieri, I. Koren, and P. Maistri, “Incorporating Error Detection and Online Reconfiguration into a Regular Architecture for the Advanced Encryption Standard,” In Proc. of the IEEE International Symposium on Defect and Fault Tolerance in VLSI Systems (DFT2005), Monterey, CA, USA, pp. 72-80, Oct. 2005. [7] D. Canright, “A Very Compact Rijndael S- box,” Naval Postgraduate School Technical Report: NPS-MA-05-001, May 2005.Fig.16 Power dissipation report [8] G. C. Cardarilli, M. Ottavi, S. Pontarelli, M. Re, and A. Salsano, “Fault localization,CONCLUSION error correction, and graceful degradation in In our project we perused the concept of radix 2 signed digit-based adders,” IEEECryptography including the various schemes of Trans. on Computers, vol. 55, no. 5, pp.system based on the kind of key and a few 534-540, May 2006.algorithms such as RSA and AES. We studied in [9] G. C. Cardarilli, S. Pontarelli, M. Re, and A.detail the mathematical foundations for AES based Salsano, “A self checking Reed Solomonsystems, basically the concepts of rings, fields, encoder: design and analysis,” In Proc. ofgroups, Galois finite fields and their properties. The the IEEE International Symposium onvarious algorithms for the computation of the scalar Defect and Fault Tolerance in VLSIproduct of a point were studied and their complexity Systems (DFT2005), Monterey, CA, USA,were analyzed. pp. 111-119, Oct. 2005. The advantage of this over the other Fault [10] S. Fenn, M. Gossel, M. Benaissa, and D.detection systems are proved by parameters .The key Taylor, “On-Line Error Detection for Bit-strength of this systems in comparison to other is Serial Multipliers in GF(2^m ),” Journal offault detection is impleted in all levels of algorithm Electronic Testing: Theory andimplementation and this will increase reliability. Applications, vol. 13, no. 1, August 1998. [11] A. Hodjat and I. Verbauwhede, “Area-REFERENCES Throughput Trade-Offs for Fully [1] M. Akkar and C. Giraud, “An Pipelined30 to 70 Gbits/s AES Processors,” Implementation of DES and AES, Secure IEEE Trans. on Computers, vol. 55, no. against Some Attacks,” In Proc. of the 4,pp. 366-372, April 2006. Workshop on Cryptographic Hardware and [12] T. Ichikawa et al, “Hardware Evaluation of Embedded Systems (CHES2001), Paris, the AES Finalists,” In Proc. 3th AES France, pp. 315-325, May 2001. Candidate Conference, New York, April [2] R. Anderson, E. Biham, and L. Knudsen, 2000. “Serpent: A Proposal for the Advanced 508 | P a g e