WO2009034393A1 - Aes-encryption apparatus and method - Google Patents

Aes-encryption apparatus and method Download PDF

Info

Publication number
WO2009034393A1
WO2009034393A1 PCT/GB2008/050822 GB2008050822W WO2009034393A1 WO 2009034393 A1 WO2009034393 A1 WO 2009034393A1 GB 2008050822 W GB2008050822 W GB 2008050822W WO 2009034393 A1 WO2009034393 A1 WO 2009034393A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
mixcolumns
keyexpansion
state
input
Prior art date
Application number
PCT/GB2008/050822
Other languages
French (fr)
Inventor
Timothy Good
Mohammed Benaissa
Original Assignee
University Of Sheffield
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University Of Sheffield filed Critical University Of Sheffield
Publication of WO2009034393A1 publication Critical patent/WO2009034393A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

  • the present invention relates to encryption apparatus and to a method of encrypting data.
  • the invention relates to apparatus suitable for implementation at very low hardware area cost and operation with sub-microwatt power consumption.
  • the invention relates to apparatus suitable for implementing an encryption process according to the Advanced Encryption Standard (AES).
  • AES is a Federal Information Processing Standards Publication (FIPS PUB 197) issued by the United States National Institute of Standards and Technology (NIST), the content of which is incorporated herein by reference.
  • the Advanced Encryption Standard (AES) process is a symmetric block cipher, herein referred to as the Cipher or AES process, that by using a secret variable known as a Cipherkey can encrypt information (thereby converting data into unintelligible ciphertext) and decrypt ciphertext (thereby converting ciphertext back into its original plaintext form) in a manner suitable for the protection of electronic data.
  • a Cipherkey a secret variable known as a Cipherkey
  • AddRoundKey Transformation in the Cipher in which a RoundKey is added to the State using an XOR operation.
  • the length of a RoundKey equals the size of the State.
  • KeyExpansion A sequence of operations to convert the Cipherkey into a set of RoundKeys to be supplied to the AddRoundKey operator specific to each round.
  • RCON The set of numerical round constants.
  • RotWord Function used in the KeyExpansion routine that takes a four-byte word and performs a cyclic permutation.
  • ShiftRows Transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets.
  • SubBytes Transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently.
  • S-box nonlinear byte substitution table
  • a 128-bit intermediate value in processing from plaintext to/from ciphertext may be acted upon by the operations ShiftRows, SubBytes, MixColumns, and Add Round Key
  • Encryption and decryption according to the AES may be conceptually understood to comprise a set of repeated operations, each set being referred to as a round. Each round converts an initial State into a new
  • the State may be conveniently thought of as a 4x4 matrix of sixteen 8-bit (1 -byte) values.
  • the operations may act on individual bytes or on sets of four bytes forming whole rows or columns of the 4x4 matrix.
  • AddRoundKey function is implemented on a 128-bit block of plaintext.
  • the final round is similar to the middle round with the exception that the MixColumns function is omitted.
  • the AddRoundKey function in each round is supplied with a different RoundKey. These are derived arithmetically from a Cipherkey using a KeyExpansion process. This process consists of further SubBytes operations together with some modulo-2 additions and a set of values referred to as the RCON constants.
  • the RCON constants are a sequence of bytes defined by FIPS-197. They may be derived by finite field doubling starting with unity in the GF2 8 field using the AES irreducible polynomial.
  • Time constraints associated with a number of applications also limit the number of clock cycles that can be used in order to implement the cipher operation. In RFID systems for example, this is at least in part because the clock frequency of the RFID device is typically set by the frequency of the RF carrier wave. It is a particularly severe constraint in the popular 100-15OkHz band for inductively powered RFID devices.
  • Embodiments of the present invention seek to mitigate at least some of the above mentioned problems by providing apparatus and methods of implementing an AES process.
  • apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of RoundKeys from a CipherKey, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion
  • AES Advanced Encryption Standard
  • the apparatus is configured under the action of the controller to transfer a series of data bytes from addresses in the data memory to the SubBytes portion, the controller being configured to select the addresses of the bytes in the data memory according to a sequence of bytes corresponding to that of a column of State as it would appear following a ShiftRows operation thereby implementing the AES process without a requirement to physically change the addresses at which bytes are stored in the data memory.
  • 'single port data memory' is meant memory having a single address bus, an input and an output together with a write-enable signal and clock input.
  • the AES round function may be performed on successive rounds on the changing logical data byte order without a requirement to re-order the bytes stored in the data memory.
  • the addresses are determined by calculation of an arithmetic series, a common difference of the arithmetic series being a composite binary number, the composite binary number being a composite of the least significant two bits of a round number, the round number being the number of the round of the AES currently being performed, and the two bit binary constant '01 '.
  • the apparatus is configured according to an 8-bit architecture.
  • the data memory is configured to store a 128-bit working State of the cipher as 16 bytes of data.
  • the data is read into the data memory from the data input portion via the AddRoundKey portion in a series of 16 bytes, bytes 0 to 15, the bytes being stored in corresponding respective addresses of the data memory, the controller being configured to map each of bytes 0 to 15 to a single address of the data memory.
  • the address of byte 0 is address 0
  • the address of byte 1 is address 1 , and so forth.
  • the key memory is configured to store a 128-bit Cipherkey as 16 bytes of data.
  • the data memory comprises a single port memory.
  • the key memory comprises a single port memory.
  • the controller is configured to control the apparatus to perform the AddRoundKey operation on data bytes input to the apparatus via the data input before the data bytes are first stored in the data memory.
  • the MixColumns portion comprises a shift register (also referred to as the MixColumns shift register), the shift register being arranged to be loaded with the series of four MixColumns input bytes.
  • a shift register also referred to as the MixColumns shift register
  • the MixColumns shift register is arranged to provide the four MixColumns input bytes to a MixColumns unit of the MixColumns portion, the MixColumns unit being configured to perform the MixColumns operation.
  • the MixColumns unit has five inputs, four corresponding to the bytes of the shift register and one 'bypass' input, discussed below.
  • the controller is configured to control the apparatus to sequentially load four data bytes that are output from the SubBytes unit, the four bytes representing a column of State, into the MixColumns shift register portion, and under the action of the control portion to perform the MixColumns operation resulting in a required MixColumns output of the MixColumns portion according to the equation:
  • ffm2(a) + jfm3(b) + c + d ffm2(b) + ffm3(c) + a + d M ffm2(c) + ffm3(d) + a + b jfm2(d) + ffm3(a) + b + c
  • Mbyte ffm2(x, ) + ffm3( X 1+1 ) + X 1+2 + X 1+3
  • x is one of four bytes representing a column of State
  • + is modulo 2
  • ffm2 and ffm3 is finite field doubling and tripling respectively.
  • controller is further configured to control the apparatus to write the output bytes from the MixColumns portion back to addresses of the data memory from which input bytes respectively were previously read.
  • the MixColumns unit is configured to perform the MixColumns operation in substantially four clock cycles.
  • the controller is configured to control the apparatus to load the four input bytes to the MixColumns portion and to provide a corresponding MixColumns output from the MixColumns portion in substantially seven clock cycles.
  • the datapath is configured under the action of the controller to allow the SubBytes unit to be shared between the round processing portion and the KeyExpansion portion.
  • This has the advantage of reducing the design area of the apparatus since it is not required to provide two or more SubBytes units in order to implement the AES process.
  • Preferably calculation of the MixColumns function is combined with final round bypass logic and implemented by a network of gates comprising a plurality of inverting gates by defining component operations ffm2 and ffm3 and modulo-2 addition in their inverting forms ⁇ ffinl and ffin3).
  • apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion
  • AES Advanced Encryption Standard
  • KeyExpansion operation a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, the controller being configured to control the apparatus to perform the
  • the apparatus is configured according to an 8-bit architecture.
  • the data memory is configured to store a 128-bit working State of the cipher as 16 bytes of data.
  • the key memory is configured to store a 128-bit Cipherkey as 16 bytes of data.
  • the data memory comprises a single port memory.
  • the key memory comprises a single port memory.
  • the feature of implementing the AddRoundKey operation on data input to the apparatus before the data is first stored in the data memory has the advantage that a reduction in the number of clock cycles required to perform the AES encryption process is achieved.
  • the increased efficiency in turn leads to a reduction in an amount of power and energy required to perform an AES process.
  • apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion
  • AES Advanced Encryption Standard
  • Mbyte ffm2(x, ) + ffm3( X 1+1 ) + X 1+2 + X 1+3
  • x is one of four bytes representing a column of State
  • + is modulo 2
  • ffm2 and ffm3 is finite field doubling and tripling respectively.
  • the MixColumns unit is provided with a set of gates to prevent unwanted switching activity propagating into the unit reducing power consumption.
  • the MixColumns unit is provided with a bypass, the apparatus being arranged to act in the final round of the AES to pass data to an output of the MixColumns unit without performing a MixColumns operation on the data bytes.
  • CMOS power consumption is usually dominated by the dynamic power consumption arising from the switching activity of a device, static power being neglected. However, at low frequencies the static component is not insignificant.
  • Cipher primitives including the AES, make frequent use of fields of XOR gates which can generate a substantial amount of undesirable dynamic switching activity due to path length differences.
  • this is checked by the placement of the shift register between the SubBytes portion (or SubBytes operator) and MixColumns portion (or MixColumns operator) together with AND gate style enable signals to prevent unwanted activity in both KeyExpansion and State-processing parts of the datapath.
  • apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion
  • AES Advanced Encryption Standard
  • KeyExpansion operation a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, a datapath of the apparatus being configured under the action of the controller to allow the SubBytes unit to be shared between the round processing portion and the KeyExpansion portion.
  • the controller is configured to control the apparatus to perform the round processing and KeyExpansion operations in column order.
  • an RFID device comprising apparatus according to any preceding aspect.
  • an RFID device comprising apparatus according to any of the first to fourth aspects of the invention.
  • a method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on
  • AES Advanced Encryption Standard
  • the addresses are determined by calculation of an arithmetic series, a common difference of the arithmetic series being a composite binary number, the composite binary number being a composite of the least significant two bits of a round number, the round number being the number of the round of the AES currently being performed, and the two bit binary constant '01 '.
  • a method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each
  • AES Advanced Encryption
  • KeyExpansion operation a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation; and controlling the apparatus to perform the AddRoundKey operation on data bytes input to the apparatus via the data input before the data bytes are first stored in the data memory.
  • a method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on
  • AES Advanced Encryption Standard
  • Mbyte ffm2(x, ) + ffm3( X 1+1 ) + X 1+2 + X 1+3
  • x is one of four bytes representing a column of State
  • + is modulo 2
  • ffm2 and ffm3 is finite field doubling and tripling respectively.
  • a method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that
  • AES Advanced Encryption Standard
  • KeyExpansion operation a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation; and controlling the apparatus such that the SubBytes unit is shared between the round processing portion and the KeyExpansion portion.
  • Embodiments of the invention have a low number of clock cycles with respect to prior art implementations of the AES process using an 8-bit datapath.
  • FIGURE 1 is a diagram of a sequence of operations according to the AES
  • FIGURE 2 is a schematic diagram of apparatus according to a first embodiment of the invention
  • FIGURE 3 is a diagram of a datapath of the apparatus according to the first embodiment
  • FIGURE 4 is a schematic diagram of a MixColumns portion according to the first embodiment
  • FIGURE 5 is a flow-graph describing one round of a 128-bit KeyExpansion performed by the KeyExpansion portion of apparatus according to the first embodiment
  • FIGURE 6 (a) to (c) is an annotated state transition diagram for a controller of apparatus according to the first embodiment
  • FIGURE 7 shows the ordering of bytes composing the 'State for rounds 0 to 4 of the AES process
  • FIGURE 8 is a state diagram showing the content of an input to a MixColumns shift register, the content of the shift register and an output of a MixColumns portion during the course of seven cycles of one column of MixColumns processing;
  • FIGURE 9 is a post library merge layout of Example 1 highlighting the relative size of a core compared to the overall design.
  • FIGURE 10 is a table of measured performance values from a batch of manufactured devices (example 1 below) with comparison to a prior art device.
  • apparatus 1 having a datapath 3 and a controller 2.
  • controller 2 The corresponding state transition diagram for the controller 2 is presented in FIG. 4.
  • the controller 2 has a finite state machine 2A, a 4-bit round counter 2B, a key address counter 2C and a State address counter 2D.
  • the finite state machine has 27 states.
  • the apparatus is further provided with a data input 10 and a data output 12.
  • the data input 10 and data output 12 are of 8-bit configuration.
  • the apparatus 1 is also provided with a roundprocessing portion 100 and a KeyExpansion portion 200 (FIG. 3).
  • the apparatus 1 is arranged to pass a byte of data provided at the data input 10 to both a data memory 20 and a key memory 30 for storage therein.
  • the data memory 20 and key memory 30 are both single port memories and are each arranged to store 16 bytes of data.
  • embodiments of the apparatus may be configured to have either a single bidirectional data bus or separate data inputs and outputs.
  • processing is performed in turn on datasets of 16 bytes of data.
  • the 16 bytes of data processed in a given dataset are referred to as byte numbers 0 to 15 according to the order of their being presented to the data input 10. It will be appreciated that a binary value represented by a given byte will change in the course of processing the bytes according to the AES but that the byte number will not change.
  • Cipherkey Prior to inputting data to apparatus according to the present embodiment of the invention, a Cipherkey is first loaded into the key memory 30 via the data input 10.
  • the first round (round 0) of the AES process requires the AddRoundKey function to be performed on each of the 16 bytes of data input to the apparatus 1.
  • the AddRoundKey function is performed as the bytes are first passed in turn from the data input 10 to the data memory 20, for initial storage in data memory 20.
  • the AddRoundKey function is performed before a given byte of data is passed to the data memory 20 from the data input 10.
  • the initial AddRoundKey function is performed one byte at a time by means of an 8-bit modulo-2 addition using eight XOR gates that form an AddRoundKey unit 40.
  • a first input 41 of the AddRoundKey unit 40 is connected to the data input 10, whilst a second input 42 of the AddRoundKey unit 40 is connected to an output of a KeyExpansion portion 200 of the apparatus 1 .
  • the Add Round Key unit 40 is configured to perform 16 cycles of operation in order to accomplish one complete round of processing according to the AES process. The processing is performed in groups of 4 cycles.
  • AddRoundKey unit 40 accomplishes the first round (round 0) of processing of the data according to the AES.
  • apparatus 1 in which the AddRoundKey function is performed as data is loaded for the first time into a data memory 20 using an 8-bit datapath has the advantage of reducing a number of clock cycles required in order to implement the AES compared with known implementations of the AES. It will be appreciated that at least 16 clock cycles are saved by performing the AddRoundKey function in this manner.
  • processing 8 bits at a time rather than (say) 128 bits results in a significant reduction in power consumption and design area.
  • the first four bytes of the data memory 20 (bytes 0 to 3) are fed sequentially into a SubBytes unit 50 in order to commence round 1 of the AES process.
  • a given sequence of four bytes being processed are also referred to as bytes a, b, c, d.
  • the SubBytes unit 50 implements the SubBytes process using composite field arithmetic.
  • the normal basis construction of Canright (case #4) is used (D. Canright, 'A very compact S-box for AES', LNCS 3659 pp. 441 - 455, 2005, Springer, incorporated herein by reference).
  • the SubBytes unit 50 is shared between the round processing and KeyExpansion portions 100, 200 of the apparatus.
  • An output 52 of the SubBytes unit 50 is arranged to be connected to pass data to a shift register 60 of the MixColumns portion 70 of the round processing portion 100 of the apparatus 1 or to a KeyExpansion portion 200 of the apparatus 1 .
  • the SubBytes unit 50 is shared between the round processing portion 100 and the KeyExpansion portion 200 of the apparatus 1 by means of time multiplexing under the control of the controller 2.
  • the ShiftRows functionality is implemented by keeping track of the memory addresses of the operands required for the process within the same and successive rounds. Consequently it is not required to move data from one memory location to another, as will be seen in the following description of this function.
  • the ShiftRows function is performed effectively in column order. It will be appreciated by those skilled in the art that performing the ShiftRows function in column order is a departure from the conventional approach which is to perform the ShiftRows function in row order.
  • the SubBytes and ShiftRows functions, and the process of feeding bytes from the data memory 20 to the shift register 60 of the MixColumns portion 70 can occur concurrently.
  • a second phase of processing evaluates the MixColumns function (by means of MixColumns portion 70) followed by the AddRoundKey function (by means of the AddRoundKey portion 40). Columns of State are then returned to the data memory 20.
  • FIG. 7 shows the ordering of bytes of State for rounds 0 to 4 of the AES process. The process can be seen to form a repeating pattern of the order of bytes of State every four rounds.
  • each round requiring implementation of the ShiftRows process involves the transfer of bytes between different locations (addresses) of data memory 20.
  • the requirement to perform the ShiftRows process involving the logical rearrangement of the bytes in memory and the requirement to read the bytes one column at a time are both fulfilled by the controller 2 keeping track of the mapping between physical and logical byte locations.
  • the order of the first row of bytes of the State remains unchanged, i.e. the row contains bytes 0, 4, 8, 12 in that order.
  • the bytes of the second row are shifted one row to the left, the byte in the first column of the second row being wrapped around to the fourth (last) column of the second row.
  • the bytes of the third row are shifted two rows to the left in a corresponding manner, whilst the byes of the fourth row are shifted three rows to the left.
  • the logical reordering of bytes of the State following a shift rows operation is implemented by physically reordering the location of the bytes in the memory.
  • the increment in the value of the original byte order value (or byte number) of the required bytes increases by '+5' modulo 16 (again, starting with 0) as one moves down one column and to the top of the next column. That is, in the first column the order is 0, 5, 10, 15; in the second column the order is 4, 9, 14, 3; in the third column the order is 8, 13, 2, 7 and in the fourth column the order is 12, 1 , 6, 1 1 .
  • the byte numbers of the first four data bytes to be passed to the MixColumns portion 70 are given by the values in the first column of the State given in FIG. 7.
  • the byte numbers of the subsequent bytes to be passed to the MixColumns portion 70 are given by the remaining three columns of the State.
  • the corresponding increment is '+9' modulo 16; in the case of round 3 the increment is +13 modulo 16 and in the case of round 4 the increment is again +1 modulo 16.
  • the binary form is the composite of the least significant two bits of the round counter and the digits '01 '.
  • the binary form of the respective different increments is a composite binary number, as may be seen by inspection of FIG. 7.
  • ShiftRows function can be implemented in an 8-bit architecture configured according to the present embodiment without a requirement to change the physical location in data memory 20 at which a byte corresponding to a given input byte number (0 to 15) is stored.
  • the required sequence of bytes can be provided to the shift register 60 of the MixColumns portion 70 of the apparatus 1 by inputting data to the SubBytes unit 50 from locations of the data memory 20 the addresses of which are determined by adding the above composite binary number to itself repeatedly, starting at zero, until all 16 bytes to be processed in a given round have been provided.
  • storage of the address from which data is to be accessed from the data memory 20 is performed using a 4-bit accumulator. It will be appreciated that substantial resources are saved in apparatus according to the present embodiment compared with apparatus configured to physically reorder the location of data in memory in the course of implementing the ShiftRows operation.
  • byte numbers corresponding to those listed in the columns of the various rounds represented in FIG. 7 are passed one by one to a 4x8-bit shift register 60 of the MixColumns portion 70 of the apparatus 1 as described above.
  • the contents of the shift register 60 are then placed on four inputs of the MixColumns unit 65 configured to perform the AES MixColumns function.
  • An output 72 of the MixColumns portion 70 is fed via the AddRoundKey unit 40 back to the data memory 20.
  • Data processed by the MixColumns unit 65 is thereby returned to the respective byte locations of the data memory 20 from which the data was originally read, ready to be read out in the course of the next round.
  • the storage and addressing scheme described above permits the fetching of data bytes for each round of the AES process in the correct logical order. This feature in turn allows implementation of the AES process using an 8-bit datapath in a shorter critical path or lower number of clock cycles.
  • the critical path is a few orders of magnitude less than the clock period at typical process voltages.
  • the core voltage can thus be lowered thereby further reducing power consumption.
  • the temporary data storage inherent in the MixColumns portion 70 further assists in simplifying addressing; this is particularly important in embodiments of the invention using single port memories and an 8-bit datapath. Storage in the shift register 60 of the MixColumns portion 70 assists in breaking unwanted switching activity in an otherwise long path of XOR gates; it also assists in avoiding repeatedly fetching the same operands for the MixColumns unit 65.
  • the MixColumns function for one column of the MixColumns process according to the AES process is calculated by the MixColumns portion 70 as follows for a given column of four bytes [a b e d]:
  • Mbyte ffm2(x, ) + ffm3( X 1+1 ) + X 1+2 + X 1+3
  • x is one of four bytes representing a column of State
  • + is modulo 2
  • ffm2 and ffm3 is finite field doubling and tripling respectively.
  • processing of each column of data bytes by the MixColumns portion 70 is performed by rotating through the four bytes of each column and requires seven clock cycles to be completed. This includes fetching and writing bytes of data to and from data memory 20. It will be appreciated that the contents of a given address in data memory 20 may be made available to the SubBytes unit 50 and propagate through the SubBytes unit 50 to the MixColumns portion 70 for loading into the MixColumns portion 70 within a single clock cycle.
  • FIG. 8 is a state diagram showing the content of the input (column 1 ) to the MixColumns shift register 60, the content of the shift register itself (column 2) and the output of the MixColumns portion 70 (column 3) during the course of one column of MixColumns processing.
  • data bytes a to d are sequentially placed on the input 61 of the shift register 60, thereby loading each byte into the shift register 60.
  • the letters a to d represent the particular series of four byte numbers being processed at any given stage of a round.
  • results MO to M3 of the MixColumns process are output to the original address locations of bytes a to d, respectively.
  • FIG. 5(a) is a schematic apparatus diagram of the MixColumns portion 70 showing the MixColumns shift register 60 and the MixColumns unit 65.
  • FIG. 5(b) shows the negative logic definition of bar-(ffm2) (i.e. jfml ) whilst
  • FIG. 5(c) shows the negative logic definition of bar-(ffm3) (i.e. ffin3 ).
  • the MixColumns operation is not performed.
  • Data is transferred from the data memory 20 via the SubBytes unit 50 to the shift register 60 of the MixColumns portion 70 as described with respect to round 1 above.
  • the ShiftRows and SubBytes functions are performed on the data.
  • the controller 2 controls the apparatus 1 to place the MixColumns portion 70 effectively in a bypass mode by driving control line 'mixcol_en' to logic 0. This allows data to transfer directly from the shift register 60 to the data output 12 via the AddRoundKey portion 40 of the apparatus 1 (i.e. XOR gates 40).
  • the MixColumns unit 65 also contains a set of gates to zero the input of the a,b and c operands (FIG. 4) to reduce unwanted switching activity and provide for a bypass required for the final round.
  • the apparatus 1 has single port memories implemented with flip-flops.
  • the single port memories are implemented by smaller semiconductor process-specific elements such as dynamic or static memory hard macros.
  • the KeyExpansion portion 200 of the apparatus 1 has a key memory 30, a KeyExpansion unit 85, a KeyExpansion shift register 80 and an RCON unit 90.
  • the process of KeyExpansion starts with the Cipherkey and is operated by the controller 2 to produce successive bytes of the next RoundKey. These bytes are used by the AddRoundKey unit 40 and are also stored in the key memory 30 to allow the process of KeyExpansion to be continued for each successive round.
  • the RCON register 92 may be put into an initial state representing the value ⁇ 01 ⁇ .
  • the key memory 30 is also configured to store 16 bytes of data, as in the case of the data memory 20.
  • the KeyExpansion shift register 80 is provided in order to obtain an 'older' (previous) RoundKey byte required as part of the KeyExpansion function. A deliberate delay of one cycle is introduced using the KeyExpansion shift register 80 in order to coordinate the process of KeyExpansion with data input 41 of the AddRoundKey unit 40.
  • Forward KeyExpansion may be performed one column at a time in order to integrate the KeyExpansion process with the mix columns process.
  • the KeyExpansion process is performed in column order to suit the order of RoundKey bytes required by the round processing portion 100.
  • the KeyExpansion portion 85 consists of a 4x8-bit shift register 80 and a conditional 4-input finite field addition unit 87.
  • the shift register 80 and addition unit 87 are operated by the controller 2 to perform mathematical operations in accordance with the above equation.
  • FIG. 6 represents a 128-bit KeyExpansion performed according to the AES specification.
  • the four SubBytes calculations of the KeyExpansion process are performed using the SubBytes unit 50 of the round processing portion 100 of the apparatus 1 on a time-multiplexed basis.
  • This feature has the advantage of reducing a complexity and area of the overall apparatus. This is at least in part because a separate SubBytes unit for the KeyExpansion process is not required to be provided.
  • Example 1 A device fabricated according to the first embodiment of the invention utilised an 8-bit bidirectional bus for data I/O to permit packaging in a SOIC20 package.
  • the overall design was pad limited and less than 1 mm square.
  • the layout of the chip (fabricated using 0.13 ⁇ m silicon technology) is shown in FIG. 9.
  • FIG. 10 shows a table of measured performance values of the device in comparison to that disclosed by M. Feldhofer, J. Wolkerstorfer and V. Rijmen, 'AES implementation on a grain of sand', IEE Proc. Information Security, Vol. 1 , pp 13-20, 2005. It will be appreciated that the device represents a substantial improvement in performance over known devices.
  • embodiments of the invention may be integrated in RFID devices as part of apparatus to provide secure data transfer between an RFID device and an RFID device reader.
  • Embodiments of the invention are suitable for incorporation in passive RFID devices, i.e. devices not having an internal power source, but which rely on scavenged power from an RF carrier wave.
  • Embodiments of the invention may be provided in articles such as items of merchandise, documents such as a passport document, or any other article. Embodiments of the invention are useful in the tracking of a location of a device and a range of other applications.

Abstract

Apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion comprising: a data memory configured to store a State of the cipher; a SubBytes portion; a MixColumns portion; an AddRoundKey portion; the apparatus being configured under the action of the controller to perform a KeyExpansion operation, a SubBytes operation, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, the apparatus being further configured under the action of the controller to transfer data bytes from each of a series of addresses in the data memory to the SubBytes portion, the controller being configured to generate the series of addresses from which data is to be transferred such that the output of the data memory is a column of State as it would appear following a Shift Rows operation.

Description

AES-ENCRYPTION APPARATUS AND METHOD
Field of the Invention
The present invention relates to encryption apparatus and to a method of encrypting data. In particular, but not exclusively, the invention relates to apparatus suitable for implementation at very low hardware area cost and operation with sub-microwatt power consumption. More particularly, but not exclusively, the invention relates to apparatus suitable for implementing an encryption process according to the Advanced Encryption Standard (AES). The AES is a Federal Information Processing Standards Publication (FIPS PUB 197) issued by the United States National Institute of Standards and Technology (NIST), the content of which is incorporated herein by reference.
Background
The Advanced Encryption Standard (AES) process is a symmetric block cipher, herein referred to as the Cipher or AES process, that by using a secret variable known as a Cipherkey can encrypt information (thereby converting data into unintelligible ciphertext) and decrypt ciphertext (thereby converting ciphertext back into its original plaintext form) in a manner suitable for the protection of electronic data.
Terms used in the FIPS PUB 197 are given the following definitions:
AddRoundKey: Transformation in the Cipher in which a RoundKey is added to the State using an XOR operation. The length of a RoundKey equals the size of the State.
KeyExpansion: A sequence of operations to convert the Cipherkey into a set of RoundKeys to be supplied to the AddRoundKey operator specific to each round.
MixColumns: Transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns.
RCON: The set of numerical round constants.
RotWord: Function used in the KeyExpansion routine that takes a four-byte word and performs a cyclic permutation. ShiftRows: Transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets.
SubBytes: Transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently.
State: A 128-bit intermediate value in processing from plaintext to/from ciphertext and may be acted upon by the operations ShiftRows, SubBytes, MixColumns, and Add Round Key
XOR: Exclusive-OR operation
Encryption and decryption according to the AES (hereinafter referred to as an 'AES process') may be conceptually understood to comprise a set of repeated operations, each set being referred to as a round. Each round converts an initial State into a new
State using a set of operations in combination with a RoundKey. The State may be conveniently thought of as a 4x4 matrix of sixteen 8-bit (1 -byte) values. The operations may act on individual bytes or on sets of four bytes forming whole rows or columns of the 4x4 matrix.
One version of the AES process is illustrated schematically in FIG. 1. In the first round (round 0), an AddRoundKey function is implemented on a 128-bit block of plaintext.
In subsequent rounds not including the final round (also known as 'middle rounds'), four functions are performed on State. Firstly a SubBytes process is performed, then a ShiftRows function, followed by a MixColumns function and finally the AddRoundKey function.
The final round is similar to the middle round with the exception that the MixColumns function is omitted.
The AddRoundKey function in each round is supplied with a different RoundKey. These are derived arithmetically from a Cipherkey using a KeyExpansion process. This process consists of further SubBytes operations together with some modulo-2 additions and a set of values referred to as the RCON constants. The RCON constants are a sequence of bytes defined by FIPS-197. They may be derived by finite field doubling starting with unity in the GF28 field using the AES irreducible polynomial.
Implementation of the AES process is relatively straightforward in systems and apparatus where factors such as an amount of power consumed by a device, a level of computing resources, and physical area required for the implementation are not primary concerns.
In some applications, however, such as the protection of data transferred to or from an RFID device, wireless sensor node or any low power communication device, these factors can be of substantial importance. 'Low resource' designs exist for the implementation of the AES process, however the designs typically consume not inconsiderable area and power, and/or require a considerable number of clock cycles in order to perform required operations.
These and other issues provide a significant barrier to integration of the AES process in low-resource applications such as passive RFID and wireless sensor nodes (WSN) in general. In many of these applications, strong encryption is required during operation under tight power constraints. For example, power for an RFID device may be required to be scavenged from a low frequency RF carrier wave.
Time constraints associated with a number of applications also limit the number of clock cycles that can be used in order to implement the cipher operation. In RFID systems for example, this is at least in part because the clock frequency of the RFID device is typically set by the frequency of the RF carrier wave. It is a particularly severe constraint in the popular 100-15OkHz band for inductively powered RFID devices.
Embodiments of the present invention seek to mitigate at least some of the above mentioned problems by providing apparatus and methods of implementing an AES process.
In a first aspect of the invention there is provided apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of RoundKeys from a CipherKey, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller; the apparatus being configured under the action of the controller to perform a KeyExpansion operation, a SubBytes operation, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, the apparatus being further configured under the action of the controller to transfer data bytes from each of a series of addresses in the data memory to the SubBytes portion, the controller being configured to generate the series of addresses from which data is to be transferred such that the output of the data memory is a column of State as it would appear following a ShiftRows operation, the ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets.
In other words, the apparatus is configured under the action of the controller to transfer a series of data bytes from addresses in the data memory to the SubBytes portion, the controller being configured to select the addresses of the bytes in the data memory according to a sequence of bytes corresponding to that of a column of State as it would appear following a ShiftRows operation thereby implementing the AES process without a requirement to physically change the addresses at which bytes are stored in the data memory.
This has the advantage of permitting the ShiftRows operation to be performed simultaneously with the SubBytes operation. The four byte internal storage within MixColumns then permits the results from MixColumns to be written back to the same data memory locations. This allows the use of single port memory whilst still maintaining a low cycle count.
By 'single port data memory' is meant memory having a single address bus, an input and an output together with a write-enable signal and clock input.
By calculation of a memory address according to the method of the invention, and transferring a byte from that address to the SubBytes unit, the AES round function may be performed on successive rounds on the changing logical data byte order without a requirement to re-order the bytes stored in the data memory.
Preferably, the addresses are determined by calculation of an arithmetic series, a common difference of the arithmetic series being a composite binary number, the composite binary number being a composite of the least significant two bits of a round number, the round number being the number of the round of the AES currently being performed, and the two bit binary constant '01 '.
This has the advantage that processing according to the AES may be performed in a substantially reduced number of clock cycles and in apparatus having a reduced area (or 'design area') and a reduced power consumption relative to known implementations.
Preferably the apparatus is configured according to an 8-bit architecture.
Preferably the data memory is configured to store a 128-bit working State of the cipher as 16 bytes of data. Preferably the data is read into the data memory from the data input portion via the AddRoundKey portion in a series of 16 bytes, bytes 0 to 15, the bytes being stored in corresponding respective addresses of the data memory, the controller being configured to map each of bytes 0 to 15 to a single address of the data memory.
Preferably the address of byte 0 is address 0, the address of byte 1 is address 1 , and so forth.
Preferably the key memory is configured to store a 128-bit Cipherkey as 16 bytes of data.
Preferably the data memory comprises a single port memory.
Preferably the key memory comprises a single port memory.
Preferably the controller is configured to control the apparatus to perform the AddRoundKey operation on data bytes input to the apparatus via the data input before the data bytes are first stored in the data memory.
This has the advantage of further reducing a number of clock cycles required to implement the AES (or 'AES process'). A requirement to first store in a memory data input to the apparatus before the data is subjected to the AddRoundKey function is thereby eliminated. This reduces the number of clock cycles required to implement the AES process.
Preferably the MixColumns portion comprises a shift register (also referred to as the MixColumns shift register), the shift register being arranged to be loaded with the series of four MixColumns input bytes.
Preferably the MixColumns shift register is arranged to provide the four MixColumns input bytes to a MixColumns unit of the MixColumns portion, the MixColumns unit being configured to perform the MixColumns operation.
Preferably the MixColumns unit has five inputs, four corresponding to the bytes of the shift register and one 'bypass' input, discussed below. Preferably the controller is configured to control the apparatus to sequentially load four data bytes that are output from the SubBytes unit, the four bytes representing a column of State, into the MixColumns shift register portion, and under the action of the control portion to perform the MixColumns operation resulting in a required MixColumns output of the MixColumns portion according to the equation:
ffm2(a) + jfm3(b) + c + d ffm2(b) + ffm3(c) + a + d M = ffm2(c) + ffm3(d) + a + b jfm2(d) + ffm3(a) + b + c
the calculation being performed in terms of the shifted series of input bytes with all the byte indices being modulo 4:
Mbyte = ffm2(x, ) + ffm3( X1+1) + X1+2 + X1+3
where x, is one of four bytes representing a column of State, + is modulo 2, ffm2 and ffm3 is finite field doubling and tripling respectively.
This has the advantage of allowing implementation of the AES in a smaller number of clock cycles than previous 8-bit implementations of the AES.
Preferably the controller is further configured to control the apparatus to write the output bytes from the MixColumns portion back to addresses of the data memory from which input bytes respectively were previously read.
Preferably the MixColumns unit is configured to perform the MixColumns operation in substantially four clock cycles.
Preferably the controller is configured to control the apparatus to load the four input bytes to the MixColumns portion and to provide a corresponding MixColumns output from the MixColumns portion in substantially seven clock cycles.
Preferably the datapath is configured under the action of the controller to allow the SubBytes unit to be shared between the round processing portion and the KeyExpansion portion. This has the advantage of reducing the design area of the apparatus since it is not required to provide two or more SubBytes units in order to implement the AES process.
Preferably calculation of the MixColumns function is combined with final round bypass logic and implemented by a network of gates comprising a plurality of inverting gates by defining component operations ffm2 and ffm3 and modulo-2 addition in their inverting forms { ffinl and ffin3).
It will be understood that in some embodiments of the invention, after subsequent Mixcolumns and AddRoundkey operations columns of State processed by the MixColumns portion are returned to the same physical addresses in the data memory from which they were read, and the sequence of addresses is modified for each subsequent round to compensate thereby implementing the AES process with reduced clock cycles and a single port memory architecture.
In a second aspect of the invention there is provided apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller; the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, the controller being configured to control the apparatus to perform the
AddRoundKey operation on data bytes input to the apparatus via the data input before the data bytes are first stored in the data memory.
Preferably the apparatus is configured according to an 8-bit architecture.
Preferably the data memory is configured to store a 128-bit working State of the cipher as 16 bytes of data.
Preferably the key memory is configured to store a 128-bit Cipherkey as 16 bytes of data.
Preferably the data memory comprises a single port memory.
Preferably the key memory comprises a single port memory.
The feature of implementing the AddRoundKey operation on data input to the apparatus before the data is first stored in the data memory has the advantage that a reduction in the number of clock cycles required to perform the AES encryption process is achieved.
The increased efficiency in turn leads to a reduction in an amount of power and energy required to perform an AES process.
In a third aspect of the invention there is provided apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller; the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, wherein the controller is further configured to control the apparatus to sequentially load four data bytes that are output from the SubBytes unit, the four bytes representing a column of State, into the MixColumns shift register portion, and under the action of the control portion to perform the MixColumns operation resulting in a required MixColumns output of the MixColumns portion according to the equation:
jfm2(a) + jfm3(b) + c + d
Jfm2(b) + ffm3(c) + a + d M = ffm2{c) + ffm3{d) + a + b
Jfm2(d) + ffm3(a) + b + c the calculation being performed in terms of the shifted series of input bytes with all the byte indices being modulo 4:
Mbyte = ffm2(x, ) + ffm3( X1+1) + X1+2 + X1+3
where x, is one of four bytes representing a column of State, + is modulo 2, ffm2 and ffm3 is finite field doubling and tripling respectively.
This has the advantage of reducing the number of cycles and power required in order to perform the AES process in an 8-bit architecture whilst still supporting the use of a single port data memory.
Preferably the MixColumns unit is provided with a set of gates to prevent unwanted switching activity propagating into the unit reducing power consumption.
Preferably the MixColumns unit is provided with a bypass, the apparatus being arranged to act in the final round of the AES to pass data to an output of the MixColumns unit without performing a MixColumns operation on the data bytes.
CMOS power consumption is usually dominated by the dynamic power consumption arising from the switching activity of a device, static power being neglected. However, at low frequencies the static component is not insignificant.
Cipher primitives, including the AES, make frequent use of fields of XOR gates which can generate a substantial amount of undesirable dynamic switching activity due to path length differences.
In embodiments of the invention this is checked by the placement of the shift register between the SubBytes portion (or SubBytes operator) and MixColumns portion (or MixColumns operator) together with AND gate style enable signals to prevent unwanted activity in both KeyExpansion and State-processing parts of the datapath.
In a fourth aspect of the invention there is provided apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller; the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, a datapath of the apparatus being configured under the action of the controller to allow the SubBytes unit to be shared between the round processing portion and the KeyExpansion portion.
As described above this has the advantage of reducing the design area of the apparatus since only one SubBytes unit is required. It is not required to provide two or more SubBytes units.
Preferably, the controller is configured to control the apparatus to perform the round processing and KeyExpansion operations in column order. In a fifth aspect of the invention there is provided an RFID device comprising apparatus according to any preceding aspect.
In a sixth aspect of the invention there is provided an RFID device comprising apparatus according to any of the first to fourth aspects of the invention.
In a seventh aspect of the invention there is provided a method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller; the apparatus being configured under the action of the controller to perform a KeyExpansion operation, a SubBytes operation, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation; and controlling the apparatus to transfer a data byte from each of a series of addresses in the data memory to the SubBytes portion, the series of addresses being generated such that the output of the data memory is a column of State as it would appear following a ShiftRows operation, the ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets.
Preferably the addresses are determined by calculation of an arithmetic series, a common difference of the arithmetic series being a composite binary number, the composite binary number being a composite of the least significant two bits of a round number, the round number being the number of the round of the AES currently being performed, and the two bit binary constant '01 '.
In an eighth aspect of the invention there is provided a method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller, the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation; and controlling the apparatus to perform the AddRoundKey operation on data bytes input to the apparatus via the data input before the data bytes are first stored in the data memory.
In a ninth aspect of the invention there is provided a method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller, the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation; and controlling the apparatus to sequentially load four data bytes that are output from the SubBytes unit, the four bytes representing a column of State, into the MixColumns shift register portion, and under the action of the control portion to perform the MixColumns operation resulting in a required MixColumns output of the MixColumns portion according to the equation:
~ffm2(a) + ffm3(b) + c + d~
Jfm2(b) + ffm3(c) + a + d M = ffm2{c) + ffm3{d) + a + b
Jfm2(d) + ffm3(a) + b + c
the calculation being performed in terms of the shifted series of input bytes with all the byte indices being modulo 4:
Mbyte = ffm2(x, ) + ffm3( X1+1) + X1+2 + X1+3
where x, is one of four bytes representing a column of State, + is modulo 2, ffm2 and ffm3 is finite field doubling and tripling respectively.
In a tenth aspect of the invention there is provided a method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller, the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation; and controlling the apparatus such that the SubBytes unit is shared between the round processing portion and the KeyExpansion portion.
Embodiments of the invention have a low number of clock cycles with respect to prior art implementations of the AES process using an 8-bit datapath.
Embodiments of the invention will now be described with reference to the accompanying figures in which:
FIGURE 1 is a diagram of a sequence of operations according to the AES;
FIGURE 2 is a schematic diagram of apparatus according to a first embodiment of the invention; FIGURE 3 is a diagram of a datapath of the apparatus according to the first embodiment;
FIGURE 4 is a schematic diagram of a MixColumns portion according to the first embodiment;
FIGURE 5 is a flow-graph describing one round of a 128-bit KeyExpansion performed by the KeyExpansion portion of apparatus according to the first embodiment;
FIGURE 6 (a) to (c) is an annotated state transition diagram for a controller of apparatus according to the first embodiment;
FIGURE 7 shows the ordering of bytes composing the 'State for rounds 0 to 4 of the AES process; and
FIGURE 8 is a state diagram showing the content of an input to a MixColumns shift register, the content of the shift register and an output of a MixColumns portion during the course of seven cycles of one column of MixColumns processing;
FIGURE 9 is a post library merge layout of Example 1 highlighting the relative size of a core compared to the overall design; and
FIGURE 10 is a table of measured performance values from a batch of manufactured devices (example 1 below) with comparison to a prior art device.
In a first embodiment of the invention there is provided apparatus 1 (FIG. 2) having a datapath 3 and a controller 2. The corresponding state transition diagram for the controller 2 is presented in FIG. 4.
The controller 2 has a finite state machine 2A, a 4-bit round counter 2B, a key address counter 2C and a State address counter 2D. In this embodiment the finite state machine has 27 states.
The apparatus is further provided with a data input 10 and a data output 12. According to the first embodiment the data input 10 and data output 12 are of 8-bit configuration. The apparatus 1 is also provided with a roundprocessing portion 100 and a KeyExpansion portion 200 (FIG. 3).
The apparatus 1 is arranged to pass a byte of data provided at the data input 10 to both a data memory 20 and a key memory 30 for storage therein. The data memory 20 and key memory 30 are both single port memories and are each arranged to store 16 bytes of data.
It will be appreciated that embodiments of the apparatus may be configured to have either a single bidirectional data bus or separate data inputs and outputs.
According to the AES process as implemented in the present embodiment of the invention, processing is performed in turn on datasets of 16 bytes of data. The 16 bytes of data processed in a given dataset are referred to as byte numbers 0 to 15 according to the order of their being presented to the data input 10. It will be appreciated that a binary value represented by a given byte will change in the course of processing the bytes according to the AES but that the byte number will not change.
Prior to inputting data to apparatus according to the present embodiment of the invention, a Cipherkey is first loaded into the key memory 30 via the data input 10.
The first round (round 0) of the AES process requires the AddRoundKey function to be performed on each of the 16 bytes of data input to the apparatus 1. According to the first embodiment, the AddRoundKey function is performed as the bytes are first passed in turn from the data input 10 to the data memory 20, for initial storage in data memory 20. In other words, the AddRoundKey function is performed before a given byte of data is passed to the data memory 20 from the data input 10.
The initial AddRoundKey function is performed one byte at a time by means of an 8-bit modulo-2 addition using eight XOR gates that form an AddRoundKey unit 40. A first input 41 of the AddRoundKey unit 40 is connected to the data input 10, whilst a second input 42 of the AddRoundKey unit 40 is connected to an output of a KeyExpansion portion 200 of the apparatus 1 . The Add Round Key unit 40 is configured to perform 16 cycles of operation in order to accomplish one complete round of processing according to the AES process. The processing is performed in groups of 4 cycles.
It can therefore be understood that the process of loading the 16 bytes of a dataset into data memory 20 via AddRoundKey unit 40 accomplishes the first round (round 0) of processing of the data according to the AES.
It will be appreciated by those skilled in the art that apparatus 1 according to the first embodiment of the invention in which the AddRoundKey function is performed as data is loaded for the first time into a data memory 20 using an 8-bit datapath has the advantage of reducing a number of clock cycles required in order to implement the AES compared with known implementations of the AES. It will be appreciated that at least 16 clock cycles are saved by performing the AddRoundKey function in this manner.
Furthermore, processing 8 bits at a time rather than (say) 128 bits results in a significant reduction in power consumption and design area.
Once round 0 is complete, the first four bytes of the data memory 20 (bytes 0 to 3) are fed sequentially into a SubBytes unit 50 in order to commence round 1 of the AES process.
A given sequence of four bytes being processed are also referred to as bytes a, b, c, d.
It is noted that the SubBytes and ShiftRows functions of the AES algorithm are orthogonal and that, consequently, the order in which the SubBytes and ShiftRows functions are performed yields the same numerical result.
The SubBytes unit 50 according to the first embodiment implements the SubBytes process using composite field arithmetic. The normal basis construction of Canright (case #4) is used (D. Canright, 'A very compact S-box for AES', LNCS 3659 pp. 441 - 455, 2005, Springer, incorporated herein by reference).
The SubBytes unit 50 is shared between the round processing and KeyExpansion portions 100, 200 of the apparatus. An output 52 of the SubBytes unit 50 is arranged to be connected to pass data to a shift register 60 of the MixColumns portion 70 of the round processing portion 100 of the apparatus 1 or to a KeyExpansion portion 200 of the apparatus 1 .
The SubBytes unit 50 is shared between the round processing portion 100 and the KeyExpansion portion 200 of the apparatus 1 by means of time multiplexing under the control of the controller 2.
In low bit-width data path implementations of the AES, i.e. less than 128 bits (such as 8- bits as in the present embodiment or 32-bits as in the case of some embodiments), there is a disparity between the 32-bit columns of data needed to perform the MixColumns function and the 32-bit rows required for the ShiftRows function. Frequently this results in additional logic resources or clock cycles being required in order to perform a swap between processing rows and columns.
However, in apparatus 1 according to the present embodiment configured according to an 8-bit architecture, the ShiftRows functionality is implemented by keeping track of the memory addresses of the operands required for the process within the same and successive rounds. Consequently it is not required to move data from one memory location to another, as will be seen in the following description of this function.
According to the first embodiment, the ShiftRows function is performed effectively in column order. It will be appreciated by those skilled in the art that performing the ShiftRows function in column order is a departure from the conventional approach which is to perform the ShiftRows function in row order.
However, by performing the ShiftRows function in column order in an 8-bit architecture configured according to the present embodiment, the SubBytes and ShiftRows functions, and the process of feeding bytes from the data memory 20 to the shift register 60 of the MixColumns portion 70 can occur concurrently.
A second phase of processing evaluates the MixColumns function (by means of MixColumns portion 70) followed by the AddRoundKey function (by means of the AddRoundKey portion 40). Columns of State are then returned to the data memory 20. FIG. 7 shows the ordering of bytes of State for rounds 0 to 4 of the AES process. The process can be seen to form a repeating pattern of the order of bytes of State every four rounds.
In order to perform the MixColumns operation bytes are required to be read out a column at a time. In some alternative embodiments of the invention, each round requiring implementation of the ShiftRows process involves the transfer of bytes between different locations (addresses) of data memory 20.
In apparatus 1 according to the present embodiment the requirement to perform the ShiftRows process involving the logical rearrangement of the bytes in memory and the requirement to read the bytes one column at a time are both fulfilled by the controller 2 keeping track of the mapping between physical and logical byte locations.
With reference to FIG. 7, in the ShiftRows operation of the AES process of round 1 , the order of the first row of bytes of the State remains unchanged, i.e. the row contains bytes 0, 4, 8, 12 in that order. However, the bytes of the second row are shifted one row to the left, the byte in the first column of the second row being wrapped around to the fourth (last) column of the second row. The bytes of the third row are shifted two rows to the left in a corresponding manner, whilst the byes of the fourth row are shifted three rows to the left.
In subsequent rounds, when it is required to perform the ShiftRows step according to the AES process (round 2, round 3 and so forth), a similar process is applied to the State, as can be seen in FIG. 7.
It can be seen that the ordering of bytes of the State in round 0 and round 4 is identical. In other words the ordering of bytes of the State is cyclical, the cycle repeating itself every fourth round.
According to other 8-bit prior art implementations of the AES, the logical reordering of bytes of the State following a shift rows operation is implemented by physically reordering the location of the bytes in the memory.
However, careful analysis of the reordering of data bytes implemented by the ShiftRows process in this embodiment reveals that the sequence in which the data bytes corresponding to original bytes O to 15 (as read into the data memory 20 in round 0) are ordered in the State follows a predictable pattern, based on the value of the round counter.
In the case of round 0, the increment in the value of the original logical memory address of the bytes in each column of the State increases by '+1 ' modulo 16 (starting with 0) as one moves in column order. That is, in the first column the ordering is 0, 1 , 2, 3; in the second column the ordering is 4, 5, 6, 7; in the third column the ordering is 8, 9, 10, 1 1 ; and in the fourth column the ordering is 12, 13, 14, 15.
In the case of round 1 , the increment in the value of the original byte order value (or byte number) of the required bytes increases by '+5' modulo 16 (again, starting with 0) as one moves down one column and to the top of the next column. That is, in the first column the order is 0, 5, 10, 15; in the second column the order is 4, 9, 14, 3; in the third column the order is 8, 13, 2, 7 and in the fourth column the order is 12, 1 , 6, 1 1 .
Thus, in performing the MixColumns step in round 1 , the byte numbers of the first four data bytes to be passed to the MixColumns portion 70 are given by the values in the first column of the State given in FIG. 7. The byte numbers of the subsequent bytes to be passed to the MixColumns portion 70 are given by the remaining three columns of the State.
In the case of round 2, the corresponding increment is '+9' modulo 16; in the case of round 3 the increment is +13 modulo 16 and in the case of round 4 the increment is again +1 modulo 16.
If the values of the respective different increments for successive rounds (+1 , +5, +9, +13, +1 , +5, +9, +13, +1 , +5) are written in binary form (0001 , 0101 , 1001 , 1 101 , 0001 , 0101 , 1001 , 1 101 , 0001 , 0101 ), it may be seen that the binary form is the composite of the least significant two bits of the round counter and the digits '01 '. In other words, the binary form of the respective different increments is a composite binary number, as may be seen by inspection of FIG. 7.
Based on this observation it will be understood that the ShiftRows function can be implemented in an 8-bit architecture configured according to the present embodiment without a requirement to change the physical location in data memory 20 at which a byte corresponding to a given input byte number (0 to 15) is stored.
Rather, according to the first embodiment of the invention, the required sequence of bytes can be provided to the shift register 60 of the MixColumns portion 70 of the apparatus 1 by inputting data to the SubBytes unit 50 from locations of the data memory 20 the addresses of which are determined by adding the above composite binary number to itself repeatedly, starting at zero, until all 16 bytes to be processed in a given round have been provided.
According to the first embodiment, storage of the address from which data is to be accessed from the data memory 20 is performed using a 4-bit accumulator. It will be appreciated that substantial resources are saved in apparatus according to the present embodiment compared with apparatus configured to physically reorder the location of data in memory in the course of implementing the ShiftRows operation.
According to the first embodiment, in order to implement the MixColumns function of the AES process, byte numbers corresponding to those listed in the columns of the various rounds represented in FIG. 7 are passed one by one to a 4x8-bit shift register 60 of the MixColumns portion 70 of the apparatus 1 as described above.
The contents of the shift register 60 are then placed on four inputs of the MixColumns unit 65 configured to perform the AES MixColumns function. An output 72 of the MixColumns portion 70 is fed via the AddRoundKey unit 40 back to the data memory 20. Data processed by the MixColumns unit 65 is thereby returned to the respective byte locations of the data memory 20 from which the data was originally read, ready to be read out in the course of the next round.
In other words the physical locations of respective bytes are not changed, allowing the use of single port memories. Thus, if (as in the case of the first embodiment) data bytes 0 to 15 are stored at memory locations 0 to 15 when they are first read in to the data memory 20, data bytes 0 to 15 will remain stored at these locations at the start of each round of the AES process (with the obvious exception of round 0).
The storage and addressing scheme described above permits the fetching of data bytes for each round of the AES process in the correct logical order. This feature in turn allows implementation of the AES process using an 8-bit datapath in a shorter critical path or lower number of clock cycles.
In embodiments of the invention operating at relatively low clock frequencies the critical path is a few orders of magnitude less than the clock period at typical process voltages. The core voltage can thus be lowered thereby further reducing power consumption.
The temporary data storage inherent in the MixColumns portion 70 further assists in simplifying addressing; this is particularly important in embodiments of the invention using single port memories and an 8-bit datapath. Storage in the shift register 60 of the MixColumns portion 70 assists in breaking unwanted switching activity in an otherwise long path of XOR gates; it also assists in avoiding repeatedly fetching the same operands for the MixColumns unit 65.
The MixColumns function for one column of the MixColumns process according to the AES process is calculated by the MixColumns portion 70 as follows for a given column of four bytes [a b e d]:
Figure imgf000026_0001
This may be written conveniently in terms of the shifted series of input bytes with all the byte indices being modulo 4:
Mbyte = ffm2(x, ) + ffm3( X1+1) + X1+2 + X1+3
where x, is one of four bytes representing a column of State, + is modulo 2, ffm2 and ffm3 is finite field doubling and tripling respectively.
Thus, processing of each column of data bytes by the MixColumns portion 70 is performed by rotating through the four bytes of each column and requires seven clock cycles to be completed. This includes fetching and writing bytes of data to and from data memory 20. It will be appreciated that the contents of a given address in data memory 20 may be made available to the SubBytes unit 50 and propagate through the SubBytes unit 50 to the MixColumns portion 70 for loading into the MixColumns portion 70 within a single clock cycle.
FIG. 8 is a state diagram showing the content of the input (column 1 ) to the MixColumns shift register 60, the content of the shift register itself (column 2) and the output of the MixColumns portion 70 (column 3) during the course of one column of MixColumns processing.
In the first four cycles, data bytes a to d are sequentially placed on the input 61 of the shift register 60, thereby loading each byte into the shift register 60. The letters a to d represent the particular series of four byte numbers being processed at any given stage of a round.
Once the bytes have been loaded into the shift register 60, in the fourth to seventh cycles results MO to M3 of the MixColumns process are output to the original address locations of bytes a to d, respectively.
Thus a total of seven cycles per column, and four columns per round are required in order to implement a complete round function. In other words, 28 clock cycles are required to perform each round of the middle rounds.
FIG. 5(a) is a schematic apparatus diagram of the MixColumns portion 70 showing the MixColumns shift register 60 and the MixColumns unit 65. FIG. 5(b) shows the negative logic definition of bar-(ffm2) (i.e. jfml ) whilst FIG. 5(c) shows the negative logic definition of bar-(ffm3) (i.e. ffin3 ).
In the final round (round 10 according to the AES specification), the MixColumns operation is not performed. Data is transferred from the data memory 20 via the SubBytes unit 50 to the shift register 60 of the MixColumns portion 70 as described with respect to round 1 above. Thus, the ShiftRows and SubBytes functions are performed on the data.
However, in the final round only, the controller 2 controls the apparatus 1 to place the MixColumns portion 70 effectively in a bypass mode by driving control line 'mixcol_en' to logic 0. This allows data to transfer directly from the shift register 60 to the data output 12 via the AddRoundKey portion 40 of the apparatus 1 (i.e. XOR gates 40).
It can be seen from FIG. 3 and FIG. 6 that the AddRoundKey function is performed before the data is output via data output 12.
The MixColumns unit 65 also contains a set of gates to zero the input of the a,b and c operands (FIG. 4) to reduce unwanted switching activity and provide for a bypass required for the final round.
According to the first embodiment of the invention the apparatus 1 has single port memories implemented with flip-flops. In some embodiments the single port memories are implemented by smaller semiconductor process-specific elements such as dynamic or static memory hard macros.
The KeyExpansion portion 200 of the apparatus 1 has a key memory 30, a KeyExpansion unit 85, a KeyExpansion shift register 80 and an RCON unit 90.
The process of KeyExpansion starts with the Cipherkey and is operated by the controller 2 to produce successive bytes of the next RoundKey. These bytes are used by the AddRoundKey unit 40 and are also stored in the key memory 30 to allow the process of KeyExpansion to be continued for each successive round.
Under action of the controller 2, the RCON register 92 may be put into an initial state representing the value {01}.
On successive clock cycles and by the application of a signal from the controller 2 the remaining sequence of numbers is generated, here expressed in hexadecimal, {02}, {04}, {08}, {10}, {20}, {40}, {80}, {1 b}, {36}, {6c}, {d8}, {ab}, {4d}, etc.
The key memory 30 is also configured to store 16 bytes of data, as in the case of the data memory 20.
The KeyExpansion shift register 80 is provided in order to obtain an 'older' (previous) RoundKey byte required as part of the KeyExpansion function. A deliberate delay of one cycle is introduced using the KeyExpansion shift register 80 in order to coordinate the process of KeyExpansion with data input 41 of the AddRoundKey unit 40.
Only forward KeyExpansion is required to be performed according to the first embodiment of the invention. Forward KeyExpansion may be performed one column at a time in order to integrate the KeyExpansion process with the mix columns process.
Each round, i, of the KeyExpansion is described by the following equation where S(x) represents the SubBytes operation, f the finite field doubling for the RCON calculation and k' are the RoundKeys, their columns kc and kr,c individual bytes of a RoundKey, the initial RoundKey, k°, is equal to the cipher key:
Figure imgf000029_0001
and k\ - k]~ l + A-^ 1 for j - 1. 2, Il
The KeyExpansion process is performed in column order to suit the order of RoundKey bytes required by the round processing portion 100. The KeyExpansion portion 85 consists of a 4x8-bit shift register 80 and a conditional 4-input finite field addition unit 87. The shift register 80 and addition unit 87 are operated by the controller 2 to perform mathematical operations in accordance with the above equation.
The process is alternatively described by the flowgraph of FIG. 6 which represents a 128-bit KeyExpansion performed according to the AES specification.
As discussed above, the four SubBytes calculations of the KeyExpansion process are performed using the SubBytes unit 50 of the round processing portion 100 of the apparatus 1 on a time-multiplexed basis. This feature has the advantage of reducing a complexity and area of the overall apparatus. This is at least in part because a separate SubBytes unit for the KeyExpansion process is not required to be provided.
Example 1 A device fabricated according to the first embodiment of the invention utilised an 8-bit bidirectional bus for data I/O to permit packaging in a SOIC20 package. The overall design was pad limited and less than 1 mm square. The layout of the chip (fabricated using 0.13μm silicon technology) is shown in FIG. 9.
FIG. 10 shows a table of measured performance values of the device in comparison to that disclosed by M. Feldhofer, J. Wolkerstorfer and V. Rijmen, 'AES implementation on a grain of sand', IEE Proc. Information Security, Vol. 1 , pp 13-20, 2005. It will be appreciated that the device represents a substantial improvement in performance over known devices.
It will be appreciated that embodiments of the invention may be integrated in RFID devices as part of apparatus to provide secure data transfer between an RFID device and an RFID device reader. Embodiments of the invention are suitable for incorporation in passive RFID devices, i.e. devices not having an internal power source, but which rely on scavenged power from an RF carrier wave.
Embodiments of the invention may be provided in articles such as items of merchandise, documents such as a passport document, or any other article. Embodiments of the invention are useful in the tracking of a location of a device and a range of other applications.
Throughout the description and claims of this specification, the terms AddRoundKey, SubBytes, MixColumns, KeyExpansion, RCON, ShiftRows, State and the like are to be interpreted, unless the context requires otherwise, according to FIPS 197, which is incorporated herein by reference.
The words "comprise" and "contain" and variations of the words, for example "comprising" and "comprises", means "including but not limited to", and is not intended to (and does not) exclude other moieties, additives, components, integers or steps.
Throughout the description and claims of this specification, the singular encompasses the plural unless the context otherwise requires. In particular, where the indefinite article is used, the specification is to be understood as contemplating plurality as well as singularity, unless the context requires otherwise. Features, integers, characteristics, compounds, chemical moieties or groups described in conjunction with a particular aspect, embodiment or example of the invention are to be understood to be applicable to any other aspect, embodiment or example described herein unless incompatible therewith.

Claims

CLAIMS:
1 . Apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller; the apparatus being configured under the action of the controller to perform a KeyExpansion operation, a SubBytes operation, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, the apparatus being further configured under the action of the controller to transfer data bytes from each of a series of addresses in the data memory to the SubBytes portion, the controller being configured to generate the series of addresses from which data is to be transferred such that the output of the data memory is a column of State as it would appear following a ShiftRows operation, the ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets.
2. Apparatus as claimed in claim 1 wherein the addresses are determined by calculation of an arithmetic series, a common difference of the arithmetic series being a composite binary number, the composite binary number being a composite of the least significant two bits of a round number, the round number being the number of the round of the AES currently being performed, and the two bit binary constant '01 '.
3. Apparatus as claimed in claim 1 or claim 2 configured according to an 8-bit architecture.
4. Apparatus as claimed in any preceding claim wherein the data memory is configured to store a 128-bit working State of the cipher as 16 bytes of data.
5. Apparatus as claimed in claim 4 wherein data is read into the data memory from the data input portion via the AddRoundKey portion in a series of 16 bytes, bytes 0 to 15, the bytes being stored in corresponding respective addresses of the data memory, the controller being configured to map each of bytes 0 to 15 to a single address of the data memory.
6. Apparatus as claimed in claim 5 wherein the address of byte 0 is address 0, the address of byte 1 is address 1 , and so forth.
7. Apparatus as claimed in any preceding claim wherein the key memory is configured to store a 128-bit Cipherkey as 16 bytes of data.
8. Apparatus as claimed in any preceding claim wherein the data memory comprises a single port memory.
9. Apparatus as claimed in any preceding claim wherein the key memory comprises a single port memory.
10. Apparatus as claimed in any preceding claim wherein the controller is configured to control the apparatus to perform the AddRoundKey operation on data bytes input to the apparatus via the data input before the data bytes are first stored in the data memory.
1 1. Apparatus as claimed in any preceding claim wherein the MixColumns portion comprises a MixColumns shift register, the shift register being arranged to be loaded with the series of four MixColumns input bytes.
12. Apparatus as claimed in claim 1 1 wherein the MixColumns shift register is arranged to provide the four MixColumns input bytes to a MixColumns unit of the MixColumns portion, the MixColumns unit being configured to perform the MixColumns operation.
13. Apparatus as claimed in claim 12 wherein the controller is configured to control the apparatus to sequentially load four data bytes that are output from the SubBytes unit, the four bytes representing a column of State, into the MixColumns shift register portion, and under the action of the control portion to perform the MixColumns operation resulting in a required MixColumns output of the MixColumns portion according to the equation:
jfm2(a) + ffm3(b) + c + d~ ffm2(b) + ffm3(c) + a + d M = jfm2(c) + ffm3(d) + a + b ffm2(d) + ffm3(a) + b + c
the calculation being performed in terms of the shifted series of input bytes with all the byte indices being modulo 4:
Mbyte = ffm2(x, ) + ffm3( X1+1) + X1+2 + X1+3
where x, is one of four bytes representing a column of State, + is modulo 2, ffm2 and ffm3 is finite field doubling and tripling respectively.
14. Apparatus as claimed in claim 13 wherein the controller is further configured to control the apparatus to write the output bytes from the MixColumns portion back to addresses of the data memory from which input bytes respectively were previously read.
15. Apparatus as claimed in claim 15 wherein the MixColumns unit is configured to perform the MixColumns operation in substantially three clock cycles.
16. Apparatus as claimed in any one of claims 1 1 to 15 wherein the controller is configured to control the apparatus to load the four input bytes to the MixColumns portion and to provide a corresponding MixColumns output from the MixColumns portion in substantially seven clock cycles.
17. Apparatus as claimed in any one of claims 1 1 to 16 wherein the MixColumns unit is provided with a set of gates to zero an input of the a,b and c operands thereby to reduce unwanted switching activity.
18. Apparatus as claimed in any one of claims 1 1 to 17 wherein the MixColumns unit is provided with a final round bypass, the apparatus being arranged in the final round of the AES to pass data to an output of the MixColumns unit without performing a MixColumns operation on the data bytes.
19. Apparatus as claimed in any one of claims 1 1 to 18 wherein the calculation of the MixColumns function is combined with final round bypass logic and implemented by a network of gates comprising a plurality of inverting gates by defining component operations ffm2 and ffm3 and modulo-2 addition in their inverting forms { jfml and
Jfm3 ).
20. Apparatus as claimed in any preceding claim wherein the datapath is configured under the action of the controller to allow the SubBytes unit to be shared between the round processing portion and the KeyExpansion portion.
21 . Apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller; the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, the controller being configured to control the apparatus to perform the AddRoundKey operation on data bytes input to the apparatus via the data input before the data bytes are first stored in the data memory.
22. Apparatus as claimed in claim 21 configured according to an 8-bit architecture.
23. Apparatus as claim 21 or 22 wherein the data memory is configured to store a 128-bit working State of the cipher as 16 bytes of data.
24. Apparatus as claimed in any one of claims 21 to 23 wherein the key memory is configured to store a 128-bit Cipherkey as 16 bytes of data.
25. Apparatus as claimed in any one of claims 21 to 24 wherein the data memory comprises a single port memory.
26. Apparatus as claimed in any one of claims 21 to 25 wherein the key memory comprises a single port memory.
27. Apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller; the apparatus being configured under the action of the controller to perform a KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, wherein the controller is further configured to control the apparatus to sequentially load four data bytes that are output from the SubBytes unit, the four bytes representing a column of State, into the MixColumns shift register portion, and under the action of the control portion to perform the MixColumns operation resulting in a required
MixColumns output of the MixColumns portion according to the equation: " ffm2{a) + ffm3{b) + c + d~ ffm2(b) + ffm3(c) + a + d M = jfm2(c) + ffm3(d) + a + b ffm2(d) + ffm3(a) + b + c_
the calculation being performed in terms of the shifted series of input bytes with all the byte indices being modulo 4:
Mbyte = ffm2(x, ) + ffm3( X1+1) + X1+2 + X1+3
where x, is one of four bytes representing a column of State, + is modulo 2, ffm2 and ffm3 is finite field doubling and tripling respectively.
28. Apparatus as claimed in claim 27 wherein the MixColumns portion is configured to provide a MixColumns output around three cycles after a MixColumns input comprising the four bytes of data is provided to the input of the MixColumns operator portion.
29. Apparatus as claimed in claims 27 or 28 wherein the MixColumns portion comprises a MixColumns shift register, the shift register being arranged to be loaded with the series of four MixColumns input bytes.
30. Apparatus as claimed in claim 29 wherein the MixColumns shift register is arranged to provide the four MixColumns input bytes to a MixColumns unit of the MixColumns portion, the MixColumns unit being configured to perform the MixColumns operation.
31 . Apparatus as claimed in claim 30 wherein the MixColumns unit is configured to perform the MixColumns operation in substantially four clock cycles.
32. Apparatus as claimed in any one of claims 27 to 31 wherein the controller is configured to control the apparatus to load the four input bytes to the MixColumns portion and to provide a corresponding MixColumns output from the MixColumns portion in substantially seven clock cycles.
33. Apparatus as claimed in any one of claims 27 to 32 wherein calculation of the MixColumns function is combined with final round bypass logic and implemented by a network of gates comprising a plurality of inverting gates by defining component operations ffm2 and ffm3 and modulo-2 addition in their inverting forms { jfml and
Jfm3 ).
34. Apparatus configured to receive input data and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller; the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation, a datapath of the apparatus being configured under the action of the controller to allow the SubBytes unit to be shared between the round processing portion and the KeyExpansion portion.
35. Apparatus according to FIG. 2 implementing a finite state machine configured to operate according to the state transition diagram of FIG. 6.
36. An RFID device comprising apparatus according to any preceding claim.
37. A wired or wireless communications device comprising apparatus as claimed in any one of claims 1 to 35.
38. A wired or wireless communications device as claimed in claim 37 operating by means of power recovered from an RF carrier wave.
39. A method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller; the apparatus being configured under the action of the controller to perform a KeyExpansion operation, a SubBytes operation, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation; and controlling the apparatus to transfer a data byte from each of a series of addresses in the data memory to the SubBytes portion, the series of addresses being generated such that the output of the data memory is a column of State as it would appear following a ShiftRows operation, the ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets.
40. A method as claimed in claim 39 wherein the addresses are determined by calculation of an arithmetic series, a common difference of the arithmetic series being a composite binary number, the composite binary number being a composite of the least significant two bits of a round number, the round number being the number of the round of the AES currently being performed, and the two bit binary constant '01 '.
41 . A method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller, the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation; and controlling the apparatus to perform the AddRoundKey operation on data bytes input to the apparatus via the data input before the data bytes are first stored in the data memory.
42. A method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipher Key, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller, the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation; and controlling the apparatus to sequentially load four data bytes that are output from the SubBytes unit, the four bytes representing a column of State, into the MixColumns shift register portion, and under the action of the control portion to perform the
MixColumns operation resulting in a required MixColumns output of the MixColumns portion according to the equation:
Figure imgf000043_0001
the calculation being performed in terms of the shifted series of input bytes with all the byte indices being modulo 4:
Mbyte = ffm2(x, ) + ffm3( X1+1) + X1+2 + X1+3
where x, is one of four bytes representing a column of State, + is modulo 2, ffm2 and ffm3 is finite field doubling and tripling respectively.
43. A method of encryption comprising the steps of: providing apparatus configured to input data to the apparatus and to provide an output of encrypted data according to the Advanced Encryption Standard (AES), the apparatus being suitable for implementation in an 8-bit architecture, the apparatus comprising: a controller; a data input portion; a data output portion; a KeyExpansion portion operable to perform a KeyExpansion operation thereby to generate a series of Round Keys from a Cipherkey, the KeyExpansion portion being operable to receive data from the data input portion and to provide a RoundKey output, the KeyExpansion portion comprising a key memory and a KeyExpansion unit; a roundprocessing portion arranged to process a round of the encryption process comprising: a data memory configured to store a State of the cipher; a SubBytes portion operable to perform a SubBytes operation being a transformation in the Cipher that processes the State using a nonlinear byte substitution table (S-box) that operates on each of the State bytes independently; a MixColumns portion operable to perform a MixColumns operation being a transformation in the Cipher that takes all of the columns of the State and mixes their data (independently of one another) to produce new columns; an AddRoundKey portion operable to perform modulo-2 addition of a RoundKey on a byte by byte basis, having a first input configured to receive a signal from an output of the KeyExpansion portion and a second input configured to receive a signal from either the data input or the MixColumns portion under the control of a controller, the apparatus being configured under the action of the controller to perform a
KeyExpansion operation, a SubBytes operation, a ShiftRows operation being a transformation in the Cipher that processes the State by cyclically shifting the last three rows of the State by different offsets, a MixColumns operation, an AddRoundKey operation, and a KeyExpansion operation; and controlling the apparatus such that the SubBytes unit is shared between the round processing portion and the KeyExpansion portion.
44. A method of encryption according to the state transition diagram of FIG. 6.
45. Apparatus substantially as hereinbefore described with reference to FIGURES 2 to 10.
46. An RFID device substantially as hereinbefore described with reference to FIGURES 2 to 10.
47. A wireless communications device substantially as hereinbefore described with reference to FIGURES 2 to 10.
48. A method substantially as hereinbefore described with reference to FIGURES 2 to 10.
PCT/GB2008/050822 2007-09-15 2008-09-13 Aes-encryption apparatus and method WO2009034393A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0717992.2 2007-09-15
GB0717992A GB0717992D0 (en) 2007-09-15 2007-09-15 Encryption apparatus and method

Publications (1)

Publication Number Publication Date
WO2009034393A1 true WO2009034393A1 (en) 2009-03-19

Family

ID=38658996

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2008/050822 WO2009034393A1 (en) 2007-09-15 2008-09-13 Aes-encryption apparatus and method

Country Status (2)

Country Link
GB (1) GB0717992D0 (en)
WO (1) WO2009034393A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108183790A (en) * 2018-02-13 2018-06-19 中山大学 A kind of AES encryption device, chip and system
CN109039608A (en) * 2018-08-24 2018-12-18 东南大学 A kind of 8-bitAES circuit based on double S cores
CN112910628A (en) * 2021-01-29 2021-06-04 苏州浪潮智能科技有限公司 AES operation method and equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030068036A1 (en) * 2001-10-10 2003-04-10 Stmicroelectronics S.R.L. Method and circuit for data encryption/decryption
WO2005107138A1 (en) * 2004-03-29 2005-11-10 Stmicroelectronics Sa Processor for executing an aes-type algorithm

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030068036A1 (en) * 2001-10-10 2003-04-10 Stmicroelectronics S.R.L. Method and circuit for data encryption/decryption
WO2005107138A1 (en) * 2004-03-29 2005-11-10 Stmicroelectronics Sa Processor for executing an aes-type algorithm

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
DHOHA C ET AL: "An FPGA hardware implementation of the Rijndael block cipher", DESIGN AND TEST OF INTEGRATED SYSTEMS IN NANOSCALE TECHNOLOGY, 2006. D TIS 2006. INTERNATIONAL CONFERENCE ON SEPT. 5-7, 2006, PISCATAWAY, NJ, USA,IEEE, 5 September 2006 (2006-09-05), pages 351 - 354, XP010942634, ISBN: 978-0-7803-9726-2 *
HÄMÄLÄINEN P ET AL: "Design and implementation of low-area and low-power AES encryption hardware core", DIGITAL SYSTEM DESIGN: ARCHITECTURES, METHODS AND TOOLS, 2006. DSD 200 6. 9TH EUROMICRO CONFERENCE ON, IEEE, PI, 1 January 2006 (2006-01-01), pages 577 - 583, XP002483261, ISBN: 978-0-7695-2609-6 *
JÄRVINEN T ET AL: "Efficient Byte Permutation Realizations for Compact AES Implementations", PROCEEDINGS OF THE EUROPEAN SIGNAL PROCESSING CONFERENCE, XX, XX, 4 September 2005 (2005-09-04), pages 1 - 4, XP002483259 *
STALLINGS W: "THE ADVANCED ENCRYPTION STANDARD", CRYPTOLOGIA, UNITED STATES MILITARY ACADEMY, WEST POINT, NY, US, vol. 26, no. 3, 1 July 2001 (2001-07-01), pages 165 - 188, XP001094868, ISSN: 0161-1194 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108183790A (en) * 2018-02-13 2018-06-19 中山大学 A kind of AES encryption device, chip and system
CN108183790B (en) * 2018-02-13 2020-10-13 中山大学 AES encryption device, chip and system
CN109039608A (en) * 2018-08-24 2018-12-18 东南大学 A kind of 8-bitAES circuit based on double S cores
CN112910628A (en) * 2021-01-29 2021-06-04 苏州浪潮智能科技有限公司 AES operation method and equipment

Also Published As

Publication number Publication date
GB0717992D0 (en) 2007-10-24

Similar Documents

Publication Publication Date Title
US7508937B2 (en) Programmable data encryption engine for advanced encryption standard algorithm
EP1271839B1 (en) AES Encryption circuit
USRE44594E1 (en) Method and circuit for data encryption/decryption
CA2373432C (en) Block cipher apparatus using auxiliary transformation
Mangard et al. A highly regular and scalable AES hardware architecture
US9843441B2 (en) Compact, low power advanced encryption standard circuit
US6691921B2 (en) Information processing device
US8411853B2 (en) Alternate galois field advanced encryption standard round
US8515059B2 (en) Cryptographic processor with dynamic update of encryption state
CN1672352A (en) Advanced encryption standard (AES) hardware cryptographic engine
Gueron Advanced encryption standard (AES) instructions set
EP1456994B1 (en) Programmable data encryption engine for advanced encryption standard algorithm
WO2009034393A1 (en) Aes-encryption apparatus and method
Chiţu et al. An FPGA implementation of the AES-Rijndael in OCB/ECB modes of operation
CN105049203A (en) Configurable 3DES encryption and decryption algorism circuit capable of supporting multiple work modes
KR20060012002A (en) A hardware implementation of the mixcolumn/invmixcolumn functions
Khairallah et al. Romulus: Lighweight aead from tweakable block ciphers
CN1795637B (en) Method and apparatus for a low memory hardware implementation of the key expansion function
Sreekanth et al. Implementation of area-efficient AES using FPGA for IOT applications
Rady et al. Design and implementation of area optimized AES algorithm on reconfigurable FPGA
Hilewitz et al. Accelerating the whirlpool hash function using parallel table lookup and fast cyclical permutation
WO2007112672A1 (en) A device for implementing sms4 algorithm
US11750369B2 (en) Circuit module of single round advanced encryption standard
Chaves et al. Polymorphic aes encryption implementation
Smyth et al. Reconfigurable cryptographic RISC microprocessor

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08788784

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08788784

Country of ref document: EP

Kind code of ref document: A1