先進加密標準(AES)是由美國國家標準與科技學會(NIST)在2001年提出推薦的。我們的AES設計支援了Electronic Code Book (ECB)，Cipher Block Chaining (CBC)，Counter (CTR)，以及Counter with CBC-MAC (CCM)模式。在經過分析之後，兩接段的管線架構對於大多數的模式是比較有效率的。近幾年許多的AES研究被發表。SBox，在AES中運算量最大的一個元件通常是用查表或是合成場的算術運算來實現。但是在加密與解密時SBox的表格是不一樣的，因此無法做分享的動作。我們的設計方法是將SBox拆成Multiplicative Inverter與Affine Transformation兩個元件，並且將Multiplicative Inverter使用查表去實現。如此，SBox就可以在加密與解密間作分享的動作來減低硬體花費。另外，拆解後的SBox在平衡的切割上估計只會造成128位元的管線暫存器也比合成場的SBox所造成的192位元管線暫存器來的少多了。除了Multiplicative Inverter的作法之外，我們也將Affine Transformation與AES演算法中做矩陣乘法的MixColumns()合併。此外，一個re-timing的技術也能夠減少面積與最長路徑的長度。我們的AES可以在128, 192, 256位元長的密鑰長度下操作，並且每個回合即時產生密鑰。使用典型的0.18微米互補金氧半導體器件技術可以達到250MHz的時脈，並且在128位元長的密鑰下可以達到每秒3.2十億位元的處理能力。使用典型的0.13微米互補金氧半導體器件技術可以達到333MHz的時脈，並且在128位元長的密鑰下可以達到每秒4.27十億位元的處理能力。此外，我們也考慮了電力以及測試能力。電力的消耗在0.18微米製程中估計為113.4毫瓦，以及在0.13微米製程中為43.78毫瓦。測試的範圍在使用212組樣本下為98.38%。我們的AES在0.18微米製程技術下使用了78.8千個邏輯閘，以及在0.13微米製程技術下使用了91.1千個邏輯閘。

The Advanced Encryption Standard (AES) was proposed by National Institute of Standard
and Technology (NITS) of the United States in 2001. Our AES design supports Electronic
Code Book mode (ECB), Cipher Block Chaining mode (CBC), Counter mode (CTR),
and Counter with CBC-MAC mode (CCM) operation modes. After analysis, 2-stage pipeline
architecture is cost-e±cient for most modes. In recent year, lots of research of AES is proposed.
SBox, the heaviest component in AES, is always implemented in Look-up-table (LUT)
or composite ‾eld arithmetic. But the LUT based SBox can not be shared in encryption
and decryption. In our design, we decompose the SBox to multiplicative inverter and a±ne
transformation, and only implement the inverter in LUT. Therefore, the SBox can be shared
between encryption and decryption to decrease the overhead. In addition, the decomposed
SBox will need only 128 bit pipeline register at the balanced pipeline position in datapath
which is less than 192 bit in composite ‾eld arithmetic SBox. Besides the multiplicative
inverter, our a±ne transformation is also merged into the MixColumns(), which performs
a matrix multiplication in AES algorithm. In addition, a re-timing technique is applied to
reduce the area and critical path. Our AES core can operate in 128, 192, 256 bit key, and the
round key is generated on-the-°y. Using a typical 0.18 ¹m CMOS technology, 250 MHz clock
rate is achieved, and the throughput for 128 bit key is 3.2 Gbps. Using a typical 0.13 ¹m
CMOS technology deals a better clock rate of 333 MHz, and the throughput for 128 bit key
is 4.27 Gbps. Besides, the power and testability is also considered. The power consumption
is estimated as 113.4mW in 0.18 ¹m process, and 43.78mW in 0.13 ¹m process. The fault
coverage is 98.38% with 212 test patterns. The gate count of our AES core is 78.8K gates
using 0.18 ¹m CMOS technology, and 91.1K gates using 0.13 ¹m CMOS technology.

1 Introduction 1
1.1 Background 1
1.2 Previous Work 3
1.3 Thesis Organization 5
2 Algorithm Specifcation 6
2.1 AES Specifcation 6
2.1.1 Basic Galois Field Arithmetic 7
2.2 Encryption and Decryption Procedure 7
2.2.1 SubBytes() Transformation . 8
2.2.2 ShiftRows() Transformation 11
2.2.3 MixColumns() Transformation 11
2.2.4 AddRoundKey() Transformation 12
2.3 Key Expansion 13
2.4 Di®erent AES Operation Mode 15
2.4.1 ECB Mode 15
2.4.2 CBC Mode 16
2.4.3 CTR Mode 16
2.4.4 CCM Mode 17
2.4.5 The Integration of ECB, CBC, CTR, and CCM Mode 20
3 Implementation Strategy 23
3.1 AES Architectures to Support ECB, CBC, CTR, and CCM Mode 23
3.2 Inverter Implementation Strategy 26
3.3 Improved Round Function 30
3.4 MixColumns and InvMixColumns Analysis 31
3.5 The Pipeline Partition 39
4 AES Design 42
4.1 Hardware Architecture 42
4.2 I/O Interface 42
4.3 Main Controller 45
4.4 Key Scheduling 47
4.5 En/Decryption Circuit 48
4.6 Design for Low-Power 51
5 Experiment Result 55
5.1 Design Flow 55
5.2 Simulation Result 55
5.3 Verifcation 56
5.3.1 Random Verifcation 56
iii
5.3.2 FPGA Verifcation 59
5.4 Analysis and Discussion 61
5.5 Layout View 64
6 Conclusion and Future Work 67
6.1 Conclusion 67
6.2 Future Work 68

[1] C.-L. Horng, \An AES cipher chip design using on-the-°y key scheduler", Master Thesis,
Dept. Electrical Engineering, National Tsing Hua University, Hsinchu, Taiwan, June
2004.
[2] National Institute of Standards and Technology (NIST), Advanced Encryption Standard
(AES), National Technical Information Service, Spring‾eld, VA 22161, Nov. 2001.
[3] M. Dworkin, \Recommendation for block cipher modes of operation", Technical report,
National Institute of Standards and Technology (NIST), Gaithersburg, MD, Dec. 2001,
http://csrc.nist.gov/CryptoToolkit/modes/.
[4] M. Dworkin, \Recommendation for block cipher modes of operation: The
CCM mode for authentication and con‾dentiality", Technical report, National
Institute of Standards and Technology (NIST), Gaithersburg, MD, May 2004,
http://csrc.nist.gov/CryptoToolkit/modes/.
[5] M. Dworkin, Recommendation for Block Cipher Modes of Operation: Galois/Counter
Mode (GCM) for Con‾dentiality and Authentication, National Institute of Standards
and Technology (NIST), 2006.
[6] I. Verbauwhede, P. Schaumont, and H. Kuo, \Design and performance testing of a 2.29
Gb/s Rijndael Processor", IEEE Jour. of Solid-State Circuits, pp. 569{572, 2003.
69
[7] A. Hodjat, D. Hwang, B. Lai, K. Tiri, and I. Verbauwhede, \A 3.84 Gbits/s AES Crypto
Coprocessor with Modes of Operation in a 0.18-¹m CMOS Technology", in Proc. Great
Lakes Sym. on VLSI (GLSVLSI), Apr. 2005.
[8] S. Morioka and A. Satoh, \A 10Gbps full-AES crypto design with a twisted-BDD SBox
architecture", in Proc. IEEE Int'l Conf. on Computer Design (ICCD), Freiburg,
Germany, Sept. 2002, pp. 98{103.
[9] A. Hodjat, P. Schaumont, and I. Verbauwhede, \Architectural design feature of a programmable
high throughput aes copressor", in Proc. IEEE Coding and Computing, Oct.
2004.
[10] C.-P. Su, T.-F. Lin, C.-T. Huang, and C.-W. Wu, \A high-throughput low-cost AES
processor", IEEE Communications Magazine, vol. 41, no. 12, pp. 86{91, Dec. 2003.
[11] A. Satoh, S. Morioka, K. Takano, and S. Munetoh, \Uni‾ed hardware architecture for
128-bit block ciphers AES and Camellia", in Cryptographic Hardware and Embedded
Systems (CHES) 2003. Aug. 2003, Springer-Verlag.
[12] X. Zhang and K. Parhi, \High-speed VLSI architecture for the AES algorithm", IEEE
Trans. on VLSI Systems, vol. 12, no. 9, pp. 957{967, 2004.
[13] Y.-K. Lai, L.-C. Chang, L.-F. Chen, C.-C. Chou, and C.-W. Chiu, \A novel memoryless
AES cipher architecture for networking applications", in Proc. IEEE Circuit and
Systems Symp, May 2004.
[14] A. Hodjat and I. Verbauwhede, \Area-throughput trade-o®s for fully pipelined 30 to 70
Gbits/s AES processors", IEEE Trans. on Computers, vol. 55, no. 4, pp. 366{372, Apr.
2006.
[15] S.-F Hsiao, M.-C Chen, and C.-S Tu, \Memory-free low-cost designs of advanced encryption
standard using using common subexpression elimination for subfunctions in
70
transformations", IEEE Trans. on Circuits and Systems, vol. 53, no. 3, pp. 615{626,
Mar. 2006.
[16] V. Rijmen, \E±cient implementation of the Rijndael S-box",
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/sbox.pdf.
[17] U. Mayer, Oelsner C., and Kohler T., \Evaluation of di®erent Rijndael implementations
for high end servers", in Circuits and Systems, 2002. ISCAS 2002. IEEE International
Symp, May 2002, pp. 348{351.
[18] S.-Y. Wu, S.-C. Lu, and C.-S. Laih, \Design of AES based on dual cipher and composite
‾eld", in Topics in Cryptology - CT-RSA 2004. 2004, vol. 2964 of LNCS, pp. 25{38,
Springer-Verlag.
[19] C.-P. Su, C.-L. Horng, C.-T. Huang, and C.-W. Wu, \A con‾gurable AES processor for
enhanced security", in Proc. Asia and South Paci‾c Design Automation Conf. (ASPDAC),
Shanghai, Jan. 2005, pp. 361{366.
[20] C.-P. Su, T.-F. Lin, C.-T. Huang, and C.-W. Wu, \A highly e±cient AES cipher chip",
in Proc. Asia and South Paci‾c Design Automation Conf. (ASP-DAC), Kitakyushu,
Jan. 2003, pp. 561{562, (Design Contest Special Feature Award).
[21] A. Satoh, S. Morioka, K. Takano, and S. Munetoh, \A compact Rijndael hardware
architecture with S-box optimization", in ASIACRYPT 2001. 2001, vol. 2248 of LNCS,
pp. 239{254, Springer-Verlag.
[22] A. Hodjat and I. Verbauwhede, \Minimum area cost for a 30 to 70 Gbits/s AES processor",
in Proc. IEEE Computer Society Annual Symp., Lafayette, Louisiana, Feb. 2004,
pp. 83{88.
71
[23] E. Mastrovito, \Vlsi architectures for computing multiplications over ‾nite ‾elds
gf(2m)", in Lecture Notes in Computer Science 357. Mar. 1989, pp. 297{309, Springer-
Verlag.