The document presents a project titled Harsam, a hardware implementation of the Tiaoxin-346 design, which focuses on efficient authenticated encryption to enhance data security. Authenticated encryption is introduced as a more reliable method than traditional encryption by requiring both encryption and authentication in a single process. The project details the stages of encryption and decryption processes, alongside simulation results, and outlines future work to improve design performance.

1. 29th International Conference on VLSI Design
&
15th International Conference on Embedded
Systems

2. About Us
• Design Contest Challenge D3
– Efficient Accelerator for Authenticated Encryption
• Title of the Project: HarSam
• Authors:
» Samnit Dua
• Final Year Student, B.Tech- E.C.E
• G B Pant Government Engineering College, GGSIPU,
Delhi
» Hardik Manocha
• Final Year Student, B.Tech-E.C.E
• G B Pant Government Engineering College, GGSIPU,
Delhi

3. Authenticated Encryption- AE
• What it is:
– A simple process to authenticate the confidential data of a
process, object, human or about anything; to increase the
security associated with the data.
– It describes that the person transmitting the data is the Actual
person who has to send the data.
– On the receiving end, data comes from where it is intended to
come from.
– MUCH SECURE scheme than the scheme of Encrypting (AES)
and then Authenticating the message(MAC).
– Easier for developers to incorporate Authentication in their
designs.

4. AE continued..
•Authentication is much needed to secure the encrypted data.
• Systems involving Encryption without Authentication: XML Encryption, WEP
etc.
• Above mentioned Systems were susceptible to attacks and therefore less
reliable.
• Then came the need for Authenticity to be associated with Encryption so that
attackers had to work upon a stronger string of data.
• Two ways to apply authenticity:
• Encrypt the data and then apply MAC (Message Authentication Code). Two different
processes and therefore complex.
• Encrypt and Authenticate using a single procedure.
• Second method to obtain Authenticated Encryption is much better and widely used by
developers.

5. TIAOXIN-346
• Name of a design which provides the feature of Authenticated
Encryption.
• Designed by Ivica Nikolic of Nanyang Technological University,
Singapore.
• TIAOXIN-346 is one of the Entries of CAESAR, a worldwide
competition related to Encryption.
• HarSam, our project is the Hardware Implementation of TIAOXIN-
346.

6. Screenshot representing CAESAR Entries

7. TIAOXIN-346 Encryption
Inputs:
• Key, K of 128 bits
• Public Message Number- Nonce, IV of 128 bits
• Plaintext, M of 256 bits
• Associated Data, AD of 256 bits
Outputs:
• Ciphertext , C of 256 bits
• Tag of 128 bits
Tiaoxin - 346 (K; IV; M;D) = (C; Tag)

8. Notations and Operations Used
• Word- sequence of 16 bytes.
• Z0- is a constant word with value “428a2f98d728ae227137449123ef65cd”.
• Z1- is a constant word with value “b5c0fbcfec4d3b2fe9b5dba58189dbbc”.
• Ts- state composed of s word. For instance, T3 has 3 words, T4 has 4 words and
T6 has 6 words.
• X Y { bitwise addition (XOR) of the words X and Y}.
• X & Y { bitwise conjunction (AND) of the words X and Y}.
• AES(X; SK) – X is the word and SK is the sub key. AES is one round single of AES.
AES(X; SK) = MixColumns(ShiftRows(SubBytes(X))) + SK
• R(Ts;M) - a round transformation of a state with s words.
R: Ts X M -> Ts new
Further R(Ts;M) uses AES(X;SK) either in keyless mode or keyed mode.

9. UPDATE Function
Update : T3 X T4 X T6 X M0 X M1 X M2 -> T3 X T4 X T6.
T3 new = R(T3,M0); T3=T3 new
T4 new = R(T4,M1); T4=T4 new
T6 new = R(T6,M2); T6=T6 new
Keyed Mode of AES round uses Z0 as Sub Key

10. AES Operations
• STATE Matrix:
Input Data block viewed as 4-by-4 table of bytes.
• Filling Up of STATE Matrix:
1 byte

11. AES Operations continued..

12. SubBytes: Byte Substitution Operation
• A simple substitution of each byte
• Uses one S-box of 16x16 bytes containing a permutation of all 256 8-bit
values
• Each byte of state is replaced by byte indexed by row (left 4-bits) &
column (right 4-bits)
– E.g. byte {75} is replaced by byte in row 7 column 5
– which has value {5B}

13. SubBytes Table
Implement by Table Lookup

14. Sample SubByte Transformation

15. • Shifting, which permutes the bytes.
• A circular byte shift in each
– 1st row is unchanged
– 2nd row does 1 byte circular shift to left
– 3rd row does 2 bytes circular shift to left
– 4th row does 3 bytes circular shift to left
ShiftRow Operation

16. Sample ShiftRow Operation

17. MixColumn Operation
• Each column is processed separately.
• Each byte is replaced by a value dependent on all
4 bytes in the column

18. Sample MIxColumn Operation

19. TIAOXIN-346 Encryption Processing
• TIAOXIN-346 Encryption Algorithm works in 4 stages and are as following
• Initialization
• Processing Associated Data
• Encryption
• Tag Production
• Above mentioned processes are executed in the same order as they are written.
Initialization --> Processing Associated Data --> Encryption --> Tag Production

20. INITIALIZATION
• In this stage, three states T3, T4 and T6 are loaded with the Inputs
K and IV.
• After fill up process, States T3, T4 and T6 are updated 15 times
using UPDATE function.

21. PROCESSING ASSOCIATED DATA
•The associated data AD is divided into blocks of 32 bytes each. If the last block of
AD is incomplete (the length of the block is less than 32 bytes), padding with
zeroes is done.
AD = AD1; . . . ;ADd
|ADi| = 256 and ADlength = |AD|
The length of the AD is encoded as 16-byte big endian word and stored
in ADlength.
For our design, we have d=1 because AD is of 256 bits in size.

22. ENCRYPTION
•The message M is divided into blocks of 32 bytes each. If the last block of M is
incomplete (the length of the block is less than 32 bytes), padding with zeroes is
done.
M = M1; . . . ; Md
|Mi| = 256 and Mlength = |M|
The length of the M is encoded as 16-byte big endian word and stored
in Mlength.
In our design, we have m=1 because of 256 bit length of M.
C would be equal to M in terms of length.

23. ENCRYPTION continued..
• In case padding with zeroes is done in last block of M, then last
block of C generated in the Encryption stage would undergo
Truncation.
• Suppose last block of M contains ‘b’ bytes then, last block of C
would be truncated after ‘b’ bytes. Therefore “32-b” bytes would
be removed from the last block of C.
• Complete Ciphertext is explained by the following equation:
C = C1|| C2 || . . . || Cm
|| is the Concatenation Operator here

24. Tag Production
This is the Final stage of the complete Encryption Algorithm.
In this step, words holding the length of AD and M are processed.
Firstly, UPDATE function uses ADlength and Mlength
Further, 20 rounds of UPDATE function are used with Z0 and Z1 and Tag is
generated by the XOR operation of all words of T3, T4 and T6

25. TIAOXIN-346 Decryption
• Inputs:
• Key, K of 128 bits
• Public Message Number- Nonce, IV of 128 bits
• Ciphertext, C of 256 bits
• Associated Data, AD of 256 bits
• Tag of 128 bits
• Outputs:
• Plaintext, M of 256 bits
• Fail, single bit in size
Tiaoxin - 346 (K; IV; C;AD,Tag) = (M; Fail)

26. TIAOXIN-346 Decryption Processing
•TIAOXIN-346 Encryption Algorithm works in 4 stages and are as following
• Initialization
• Processing Associated Data
• Decryption
• Tag Production
• Above mentioned processes are executed in the same order as they are
written.
Initialization --> Processing Associated Data --> Decryption --> Tag Production
• Initialization, Processing Associated Data and Finalization stages are exactly
similar to Encryption steps.
• Only the Decryption stage is altered.

27. DECRYPTION
Assuming C has m blocks of 32 bytes
C = C1|| C2 || . . . || Cm
In our design, m=1 and therefore above statements are executed only once.
Padding with zeroes is done similarly as done in Encryption.
If the Tag produced in Decryption is similar to the Input Tag, then only M is generated
at the Output and Fail is made to Logic low. Else Fail is made to Logic High and M
generated in Decryption Stage is not available at the Output port.

28. SIMULATION- ENCRYPTION
• Inputs
•Key, K = 91cc70a38f1cf31c3a3a39c748e8ee3a
• Nonce, IV = b7ddefbdfad7df7b7dbee3e5f5f5fbe6
• Message,
M=b7ddf2398e1471e39e6387474738e91d1dc74fbdfad7df7b7dbee3e5f5f5fb6
• Associate Data, AD=
91cc70a38f1cf31c3a3a39c748edbeef7defd6befbdbedf71f2fafafdf30ee3a
• Outputs
C= d4a1b9fb02fa511cdf7f8cfbb90e22438702502bada2b70436ca6fc14c5d6224
Tag= bf979c14211c4930064abc4f50c2d0d0

30. SIMULATION- DECRYPTION
• Inputs
•Key, K = 91cc70a38f1cf31c3a3a39c748e8ee3a
• Nonce, IV = b7ddefbdfad7df7b7dbee3e5f5f5fbe6
• Ciphertext, C=
d4a1b9fb02fa511cdf7f8cfbb90e22438702502bada2b70436ca6fc14c5d6224
• Associate Data, AD=
91cc70a38f1cf31c3a3a39c748edbeef7defd6befbdbedf71f2fafafdf30ee3a
• Tag= Tag= bf979c14211c4930064abc4f50c2d0d0
• Outputs
• M= b7ddf2398e1471e39e6387474738e91d1dc74fbdfad7df7b7dbee3e5f5f5fb6
• Fail= 0

32. SYNTHESIZE- ENCRYPTION

33. SYNTHESIZE- DECRYPTION

34. COMPARISON
TIAOXIN-346 v/s HarSam

35. Modified Version of HarSam
As the comparison summarizes, our design is much
slower than the TIAOXIN-346.
But we have achieved Hardware Implementation.
In order to match the Timing characteristics of
TIAOXIN-346, we have modified our design and built a
newer design.
We have successfully Simulated the design but we
were not able to Synthesize the design due to lack of
our System resources.

36. SIMULATION- ENCRYPTION
MODIFIED DESIGN

37. SIMULATION- DECRYPTION MODIFIED DESIGN

38. FUTURE WORKS
• Try to achieve Hardware Implementation of Our
Modified design.
• Further work on to decrease Timing features so as
to take our design to be involved in some
applications.

39. Thank You