Professional Documents
Culture Documents
'ound
86
'ound
1ast
ROUND
OUT 09
ROUND
KEYS
'=K)D
I$< 8
'=K)D
I$< -
'=K)D
I$< 6
'=K)D
I$<
1#S*
Key
Reg
Key _En
Key !"#$
Data
Out
!"#$
D%ut
Valid
AES
9i"ing the data within each
column of the State array
#dding a 'ound Iey to the
State
#bove mentioned functions
were carried out for every individual
round and in the last round the third
function, that is, 9i"ing the data
within each column of the State array
will not be performed. Hence the last
round is carried out separately. Fased
on the key provided, the new set of
keys will be generated in the Iey
$"pansion block and is given to the
each round as input.
2.2 ENCRYPTION
#t the start of the $ncryption or
Cipher, the input data and the input key
were copied to the State array using the
conventions. Initially the 5='
operation should be performed
between each byte of the input data
and the input key and the output will
be given as the input of the 'ound4-.
#fter an initial 'ound Iey addition,
the State array is transformed by
implementing a round function -8
times, with the final round differing
slightly from the first Nr- rounds.
*he final State is then copied to the
output. *he round function is
parameteried using a key schedule
that consists of a one4dimensional
array of four4byte words derived using
the Iey $"pansion routine.
*he individual transformations
that carried out are listed below.
SubFytes
Shift'ows
9i"Columns
#dd'oundIey
*able ..J represents the
operation performed at each round and
its order in which each one is carried
out. #ll Nr rounds are identical with
the e"ception of the final round, which
does not include the Mi7C('"&$s
transformation. *hus the cipher te"t,
that is, encrypted data will be achieved
at the end of the final round.
2.2.1 AES CIPHER FUNCTIONS
*he block diagram shown in
the figure ... represents the functions
carried out in each round and the
functions performed in the last round.
Tab'# 2. AES #$cr%/ti($ ci/)#r "si$! a 18 b%t# -#%
Fi!"r# 2.2 3'(c- Dia!ra& .(r AES R("$+ a$+ AES Last R("$+
2.2.1.1 S"b3%t#s Tra$s.(r&ati($
*he SubFytes operation is a
non4linear byte substitution, operating
on each byte of the state independently.
*he s"bstit"ti($ tab'# 9S:3(7; is
invertible and is constructed by the
composition of two transformationsB
*ake the multiplicative inverse
in 'i(ndaelGs finite field
#pply an affine transformation
Since the S4Fo" is independent
of any input, pre4calculated forms are
used, if enough memory %.:; bytes for
one S4Fo"& is available. $ach byte of
the state is then substituted by the
value in the S4Fo" whose inde"
corresponds to the value in the state.
2igure ..J illustrates the effect of the
S"b3%t#s transformation on the State
clearly.
Fi!"r# 2. S"b3%t#s O/#rati($ (.
t)# Stat#
*he S4Fo" for the $ncryption
is given in the #ppendi"4- for the
reference. *he S4Fo" will be of a
-;5-; matri" in which the row is
represented as >"? and the column is
represented by >y?. *he S4bo" used in
the S"b3%t#s transformation is
presented in he"adecimal form and
hence the substitution value would be
determined by the intersection of the
row and the column.
2or e"ample, if S
-,-
N O:JP,
then the substitution value would be
determined by the intersection of the
row with inde" Q: and the column
with inde" QJ. *his would result in S
-,-
having a value of OedP. *hese values
can be referred in the S4Fo" present in
the #ppendi"4-.
2.2.1.2 S)i.tR(1s Tra$s.(r&ati($
#rranges the state in a matri"
and then performs a circular shift for
each row. *his is not a bit wise shift.
*he circular shift (ust moves each byte
one space over. # byte that was in the
second position may end up in the third
position after the shift.
*he circular part of it specifies that the
byte in the last position shifted one
space will end up in the first position
in the same row. Hence in this
Shift'ows operation, each row of the
state is cyclically shifted to the left,
depending on the row inde". *his has
the effect of moving bytes to >lower?
positions in the row, while the >lowest?
bytes wrap around into the >top? of the
row.
Fi!"r# 2.0 S)i.tR(1s O/#rati($ (.
t)# Stat#
2igure ..H illustrates the
S)i.tR(1s transformation. *he
shifting operation will be carried out
horiontally as follows.
*he -st row is shifted 8
positions to the left.
*he .nd row is shifted -
positions to the left.
*he Jrd row is shifted .
positions to the left.
*he Hth row is shifted J
positions to the left.
2.2.1. Mi7C('"&$s Tra$s.(r&ati($
In 9i"Columns operation,
parts of the state are multiplied against
which parts of the matri". *he
transformation operates on the State
column4by4column. *he sate is
arranged into a H row table %as
described in the Shift 'ow function&.
*he multiplication is performed one
column at a time %H bytes&. $ach value
in the column is eventually multiplied
against every value of the matri" %-;
total multiplications&. *he results of
these multiplications are 5='ed
together to produce only H result bytes
for the ne"t state. *here fore H bytes
input, -; multiplications -. 5='s and
H bytes output. *he multiplication is
performed one matri" row at a time
against each value of a state column.
*he pre4defined H5H matri"
value and the first column of the
Shift'ows state are represented as
follows, for the multiplication.
*he first result byte is
calculated by multiplying H values of
the state column against H values of the
first row of the matri". *he result of
each multiplication is then 5='ed to
produce - Fyte.
*he second result byte is
calculated by multiplying the same H
values of the state column against H
values of the second row of the matri".
*he result of each multiplication is
then 5='ed to produce - Fyte.
*he third result byte is
calculated by multiplying the same H
values of the state column against H
values of the third row of the matri".
*he result of each multiplication is
then 5='ed to produce - Fyte.
*he fourth result byte is
calculated by multiplying the same H
values of the state column against H
values of the fourth row of the matri".
*he result of each multiplication is
then 5='ed to produce - Fyte.
*his procedure is repeated
again with the ne"t column of the state,
until there are no more state columns.
Hence putting it all together, the first
column will include state bytes -4H and
will be multiplied against the matri" in
the following mannerB
2igure ..: illustrates the Mi7C('"&$s
transformation
Fi!"r# 2.2 Mi7C('"&$s
(/#rat#s ($ t)# Stat# c('"&$:b%:
c('"&$
Hence the pictorial
representation of the 9i"Columns
operation represented above gives the
clear view on this transformation.
2.2.1.0 A++R("$+K#%
Tra$s.(r&ati($
In the A++R("$+K#%
transformation, a 'ound Iey is added
to the State by a simple bitwise 5='
operation. $ach of the -; bytes of the
state is 5='ed against each of the -;
bytes of a portion of the e"panded key
for the current round. *he $"panded
Iey bytes are never reused. So once
the first -; bytes are 5='ed against
the first -; bytes of the e"panded key
then the e"panded key bytes -4-; are
never used again. *he ne"t time the
#dd 'ound Iey function is called
bytes -74J. are 5='ed against the
state. *he first time #dd 'ound Iey
gets e"ecuted.
*he second time #dd 'ound Iey is
e"ecuted.
*his process will be continued
until the operation ends. *he graphical
representation of this operation can be
seen below.
Fi!"r# 2.8 A++R("$+K#% O/#rati($
*he above figure ..; represents
the clear view on the #dd'oundIey
transformation which takes place
between the results of 9i"Columns
and Iey$"pansion and gives the
resultant matri" that is used as the
input to the ne"t reound.
2.2.2 KEY E<PANSION
3rior to encryption or
decryption the key must be e"panded.
*he e"panded key is used in the A++
R("$+ Iey function defined above.
$ach time the #dd 'ound Iey
function is called a different part of the
e"panded key is 5='ed against the
state. In order for this to work the
$"panded Iey must be large enough
so that it can provide key material for
every time the #dd 'ound Iey
function is e"ecuted. *he #dd 'ound
Iey function gets called for each
round as well as one e"tra time at
beginning of the algorithm.
*he #$S algorithm takes the
Cipher Iey, K, and performs a Iey
$"pansion routine to generate a key
schedule. *he Iey $"pansion
generates a total of Nb %Nr R -& wordsB
the algorithm re0uires an initial set of
Nb words, and each of the Nr rounds
re0uires Nb words of key data. *he
resulting key schedule consists of a
linear array of H4byte words.
Since the key sie is much
smaller than the sie of the sub keys,
the key is actually >stretched out? to
provide enough key space for the
algorithm. Hence an -./ bit key is
e"panded to an -7; byte key.
*here is a relation between the
cipher key sie, the number of rounds
and the $"pandedIey sie. 2or an -./4
bit key, there is one initial
#dd'oundIey operation plus there are
-8 rounds and each round needs a new
-; byte key, therefor we re0uire -8R-
'oundIeys of -; byte, which e0uals
-7; byte. #n iteration of the above
steps is called a round. *he amount of
rounds of the key e"pansion algorithm
depends on the key sie.
Tab'# 2.0 K#% E7/a$si($
*he first bytes of the e"panded
key are always e0ual to the key. If the
key is -; bytes long the first -; bytes
of the e"panded key will be the same
as the original key. If the key sie is J.
bytes then the first J. bytes of the
e"panded key will be the same as the
original key. $ach round adds H bytes
to the $"panded Iey. Aith the
e"ception of the first rounds each
round also takes the previous rounds H
bytes as input operates and returns H
bytes.
*he key e"pansion routine
e"ecutes a ma"imum of H consecutive
functions. *hese functions areB
'=* A='D
SKF A='D
'C=)
5='
Rot Word (4 bytes)
*his does a circular shift on H
bytes similar to the Shift 'ow
2unction. *he H4byte word is cyclically
shifted - byte to the left.
2or $"ample, lets take a
se0uence -,.,J,H which will be rotated
and obtain the result as .,J,H,-.
Sub Word ! bytes"
*he Iey Schedule uses the
same S4Fo" substitution as the main
algorithm body. *his step applies the
S4bo" value substitution as described
in SubFytes function to each of the H
bytes in the argument. *he S4Fo" is
present in the #ppendi"4- for the
reference.
#con
Fasically this function returns a
H byte value based on the following
table.
R("$+
N"&b#r
Rc($ 4a'"#
- 'con%-& 8-888888
. 'con%.& 8.888888
J 'con%J& 8H888888
H 'con%H& 8/888888
: 'con%:& -8888888
; 'con%;& .8888888
7 'con%7& H8888888
/ 'con%/& /8888888
6 'con%6& -F888888
-8 'con%-8& J;888888
Tab'# 2.2 Rc($ Tab'#
*he result of the SubAords
should be 5='ed with the above
mentioned 'con values with respect to
the corresponding round number. It can
be seen that the first Nk words of the
e"panded key are filled with the
Cipher Iey. $very following word,
wSiT, is e0ual to the 5=' of the
previous word, wSi4-T, and the word
Nk positions earlier, wSi4NkT. 2or
words in positions that are a multiple
of Nk, a transformation is applied to
wSi4-T prior to the 5=', followed by
an 5=' with a round constant,
'conSiT.
Steps in Key E$pansion
*he first n bytes of the
e"panded key are simply the
cipher key %n N the sie of the
encryption key&
*he rcon value i is set to -
Kntil we have enough bytes of
e"panded key, we do the
following to generate n more
bytes of e"panded key %please
note once again that LnL is used
here, this varies depending on
the key sie&
-. we do the following to
generate four bytes
we use a
temporary H4
byte word called
t
we assign the
previous H bytes
to t
we perform the
key schedule
core on t, with i
as 'con value
we increment i
we 5=' t with
the H4byte word
n bytes before in
the
e"pandedIey
%where n is once
-; bytes&
". we do the following "
times to generate the
ne"t "UH bytes of the
e"pandedIey %" N J for
nN-;&
we assign the
previous H4byte
word to t
we 5=' t with
the H4byte word
n bytes before in
the
e"pandedIey
%where n is once
-; bytes&
Hence, for nN-;, we generateB H R JUH
bytes N -; bytes per iteration.
2.8 DECRYPTION
*he cipher te"t of -./ bits and
the same key of -./ bits will be given
as the input to the decryption block.
*he encrypted data will be decrypted
and the original plain message will be
achieved as the output of the
decryption block. *he Cipher
transformations can be inverted and
then implemented in reverse order to
produce a straightforward Inverse
Cipher for the #$S algorithm. *he
individual transformations used in the
Inverse Cipher were listed as follows.
InvShift'ows
InvSubFytes
Inv9i"Columns
#dd'oundIey
Here also -8 rounds will be
carried out and the only difference in
the decryption block with respect to
the algorithm flow is that the result of
the Iey$"pansion of each round will
also be given to the 9i"Coulmns
operation after which the
#dd'oundIey transformation should
be carried out.
%nv&i$'olumns state ()# #ound
Key" * %nv&i$'olumns state" ()#
%nv&i$'olumns #ound Key"
*he above e0uation represents
the basic difference in the process of
the #$S $ncryption and Decryption
algorithm.
2.8.1 AES IN4ERSE CIPHER
FUNCTIONS
*he #$S Inverse Cipher
2unction has the same set of
transformations as in the encryption
but in the inverse form, that is, the
predefined values which used for the
each transformation will be different.
In this section we can discuss about
each transformations in detail.
2.8.1.1 I$,S"b3%t#s Tra$s.(r&ati($
InvSubFytes is the inverse of
the byte substitution transformation, in
which the inverse S4Fo" is applied to
each byte of the State. *he inverse S4
Fo" is present in the #ppendi"4- for
the reference. *he transformation of
this process will be carried out in the
similar way as in the SubFytes in the
encryption such as the substitution
value would be determined by the
intersection of the row and the column.
2or e"ample, if S
-,-
N O:JP,
then the substitution value would be
determined by the intersection of the
row with inde" Q: and the column
with inde" QJ. *his would result in S
-,-
having a value of O:8P. *hese values
can be referred in the S4Fo" present in
the #ppendi"4-.
2.8.1.2 I$,S)i.tR(1s
Tra$s.(r&ati($
*he InvShift'ows is the
inverse of the Shift'ows
transformation. *he bytes in the last
three rows of the State are cyclically
shifted over different numbers of bytes
%offsets&. *he first row, r N 8, is not
shifted. *he bottom three rows are
cyclically shifted by Nb 4 shift%r,N&
bytes, where the shift value shift$r!N%
depends on the row number.
Specifically, the InvShift'ows
transformation proceeds as follows.
Fi!"r# 2.= I$,S)i.tR(1s O/#rati($
(. t)# Stat#
*he illustration figure will
gives the clear view on this
InvShift'ows transformation.
2.8.1. I$,Mi7C('"&$s
Tra$s.(r&ati($
*he Inv9i"Columns is the
inverse of the 9i"Columns
transformation. Inv9i"Columns
operates on the State considering
column4by4column. *he pre4defined
H5H matri" value and the first column
of the InvShift'ows state are
represented as follows, for the
multiplication.
#s a result of this
multiplication, the four bytes in a
column are replaced by the following.
*hus the H5H matri" will be
obtained which will be given as the
input to the ne"t transformation.
2.8.1.0 I$,#rs# (. t)# A++R("$+K#%
Tra$s.(r&ati($
*he Inverse of the
#dd'oundIey is similar to the
#dd'oundIey in the encryption
process. $ach element in the resultant
matri" of 9i"Columns and resultant
matri" of Iey$"pansion will be
5='ed and the resultant matri" of
#dd'oundIey will be given as the
input to the ne"t round.
Hence all the inverse cipher
transformations were discussed above
and finally, the only thing left to do is
putting it all together in one inversed
main algorithm. Similarly the forward
cipher transformations were combined
together to form a 'ound and
combining all the -8 'ounds will
constitute a complete #$S $ncryption
and Decryption algorithm.
2.= SUMMARY
Fasic *erminologies and the
3arameters used in this
#lgorithm have been discussed
at the earlier section.
Fasic introduction and
description on the #$S
#lgorithm and its *op 1evel
Flock Diagram was discussed.
Discussed on #$S $ncryption
3rocess which includes #$S
Cipher 2unctions and its
transformation procedure.
Steps involved in the Iey
$"pansion process were given.
#$S Decryption 3rocess which
includes #$S Inverse Cipher
2unctions was e"plained.
CHAPTER CHAPTER
AES
ALGORITHM
IMPLEMENTATION
.1 INTRODUCTION
*he #$S is a block cipher. *his
means that the number of bytes that it
encrypts is fi"ed. #$S can currently
encrypt blocks of -; bytes at a time@ no
other block sies are presently a part of
the #$S standard. If the bytes being
encrypted are larger than the specified
block then #$S is e"ecuted
concurrently. *his also means that #$S
has to encrypt a minimum of -; bytes.
If the plain te"t is smaller than -;
bytes then it must be padded. Simply
said the block is a reference to the
bytes that are processed by the
algorithm.
*he current condition of the
lock will be defined by the State. *hat
is the block of bytes that are currently
being worked on. *he state starts off
being e0ual to the block, however it
changes as each round of the
algorithms e"ecutes. 3lainly we can
say that this is the block in progress.
*he #dvanced $ncryption Standard
#lgorithm which includes both
$ncryption and Decryption are
implemented using ,HD1 and their
functionality will be verified in the
9odelSim *ool with proper test cases.
.2 IMPLEMENTATION
RE>UIREMENTS
During the implementation,
there are different parameters are
re0uired which are discussed as
follows.
%nput +ata ,ength #e-uirements
#n implementation of the #$S
algorithm should have the input data
%3lain *e"t& length of -./ bits which
acts as the primary input to the both
$ncryption and Decryption block.
Key ,ength #e-uirements
In this #$S implementation the
input key chosen to be as -./ bits from
the various key lengths available. *his
also acts as the primary input to the
both $ncryption and Decryption block.
Keying #estrictions
)o weak or semi4weak keys
have been identified for the #$S
algorithm and there is no restriction on
key selection.
.arameteri/ation of 0lock Si/e and
#ound Number
Here since the input data and
the input key lengths are -./ bits, the
block sie will be of )b N H and the
'ound )umber will be of )r N -8. *he
'ound )umber will be taken with
respect to the #$S #lgorithm
Standard.
. NOTATION AND
CON4ENTIONS
*he different notations and
conventions were used in this
implementation of #$S #lgorithm.
1E(
He"adecimal defines a notation
of numbers in base -;. *his simply
means that the highest number that can
be represented in a single digit is -:,
rather than the usual 6 in the decimal
%base -8& system. Hence all the values
were represented in the He"adecimal
number system.
%nputs and )utputs
*he input and output for the
#$S algorithm each consist of
se0uences of -./ bits %digits with
values of 8 or -&. *hese se0uences will
sometimes be referred to as blocks and
the number of bits they contain will be
referred to as their length. *he Cipher
Iey for the #$S algorithm is a
se0uence of -./ bits. =ther input and
output lengths are not permitted by this
standard.
*he bits within such se0uences
will be numbered starting at ero and
ending at one less than the se0uence
length %block length or key length&.
*he number i attached to a bit is
known as its inde" and will be in one
of the ranges 0 i < 128 depending on
the block length and key length
%specified above&.
0ytes
*he basic unit for processing in
the #$S algorithm is a byte, a
se0uence of eight bits treated as a
single entity. *he input, output and
Cipher Iey bit se0uences are
processed as arrays of bytes that are
formed by dividing these se0uences
into groups of eight contiguous bits to
form arrays of bytes. 2or an input,
output or Cipher Iey denoted by a, the
bytes in the resulting array will be
referenced using one of the two forms,
>an& or aSnT, where n will be in one of
the following ranges.
Iey length N -./ bits, 8 n V
-;
Flock length N -./ bits, 8 n V
-;
State
Internally, the #$S algorithms
operations are performed on a two4
dimensional array of bytes called the
State. *he State consists of four rows
of bytes, each containing N bytes,
where N is the block length divided
by J.. In the State array denoted by the
symbol s, each individual byte has two
indices, with its row number r in the
range 8 W r V H and its column number
c in the range 8 W c V N. *his allows
an individual byte of the State to be
referred to as either sr,c or sSr,cT. 2or
this standard, N NH, i.e., 8 W c V H.
#t the start of the Cipher and
Inverse Cipher, the input %the array of
bytes in8, in-, X in-:& will be copied
into the State array. *he Cipher or
Inverse Cipher operations are then
conducted on this State array, after
which its final value is copied to the
output will be the array of bytes out8,
out-, X out-:.
Fi!"r# .1 Stat# Arra% I$/"t a$+
O"t/"t
Hence, at the beginning of the
Cipher or Inverse Cipher, the input
array, in, is copied to the State array
according to the schemeB
s?r* c@ A i$?r B 0c@
.(r C D r E 0 a$+ C D c E Nb*
#nd at the end of the Cipher and
Inverse Cipher, the State is copied to
the output array out as followsB
("t?r B 0c@ A s?r* c@ .(r C D r
E 0 a$+ C D c E Nb.
State as an Array of 'olumns
*he four bytes in each column
of the State array form J.4bit words,
where the row number r provides an
inde" for the four bytes within each
word. *he state can hence be
interpreted as a one4dimensional array
of J. bit words %columns&, #8...#J,
where the column number c provides
an inde" into this array. Hence the
State can be considered as an array of
four words, as followsB
2C A sC*C s1*C s2*C s*C
22 A sC*2 s1*2 s2*2 s*2
21 A sC*1 s1*1 s2*1 s*1
2 A sC* s1* s2* s*
.0 MATHEMATICAL
PRELIMINARIES
#ll bytes in the #$S algorithm
are interpreted as finite field elements
that can be added and multiplied, but
these operations are different from
those used for numbers.
Addition
*he addition of two elements in
a finite field is achieved by >adding?
the coefficients for the corresponding
powers in the polynomials for the two
elements. *he addition is performed
with the 5=' operation %denoted by
&. 2or e"ample, two he"adecimal
numbers have been taken and the
addition, that is, 5=' operation has
performed.
O57P O83P N Od4P
&ultiplication
*he modular product of a%x&
and %x&, denoted by a%x& %x&, is
given by d%x& which are given as
follow.
*he matri" of H5H is taken and
is multiplied with the single column,
that is, matri" multiplication has to be
performed.
*he multiplication of the above
matri" can be performed in the
following manner.
.2 GENERAL
IMPLEMENTATION FLOW
*he generalied
implementation flow diagram of the
pro(ect is represented as follows.
Fi!"r# .2 G#$#ra' I&/'#&#$tati($
F'(1 Dia!ra&
Initially the market research
should be carried out which covers the
previous version of the design and the
current re0uirements on the design.
Fased on this survey, the specification
and the architecture must be identified.
*hen the '*1 modeling should be
carried out in ,HD1 with respect to
the identified architecture. =nce the
'*1 modeling is done, it should be
simulated and verified for all the cases.
*he functional verification should
meet the intended architecture and
should pass all the test cases.
=nce the functional verification
is clear, the '*1 model will be taken to
the synthesis process. *hree operations
will be carried out in the synthesis
process such as
*ranslate
9ap
3lace and 'oute
*he developed '*1 model will
be translated to the mathematical
e0uation format which will be in the
understandable format of the tool.
*hese translated e0uations will be then
mapped to the library that is, mapped
to the hardware. =nce the mapping is
done, the gates were placed and routed.
Fefore these processes, the constraints
can be given in order to optimie the
design. 2inally the FI* 9#3 file will
be generated that has the design
information in the binary format which
will be dumped in the 23!# board.
.8 IMPLEMENTATION
*he pro(ect deals with both the
$ncryption and Decryption algorithm
and its operation.
#3, &odeling
*he implementation of the
encryption and decryption
should be differentiated and the
system must know which one it
should perform. So a signal
>$ncYDec? is declared which
will represents the operation of
the system, that is, system is
either in encryption or
decryption.
*he given input data and key
will be converted to a State and
Aord for the further
transformation.
2or accessing the State, that is,
H5H array, two loops have been
used with the naming
convention of Qi and Q(.
KeyE$pansion
*he implementation of #$S
with the Cipher Iey e"pansion,
that is to enlarge our input
cipher key, whose sie is -./
bits into a larger key, from
which different 'oundIeys can
be derived.
*he S4Fo" values can either be
calculated on4the4fly to save
memory or the pre4calculated
values can be stored in an array.
*here are . S4Fo"es, one for
the encryption and one for the
decryption whose values will
store the values in an array.
#dditionally, instead of
accessing the values
immediately from the program,
it got wrap a little function
around which makes for a more
readable code and would allow
us to add additional code later
on. In the implementation of
the . S4Fo"es, itGs only a table4
lookup that returns the value in
the array whose inde" is
specified as a parameter of the
function.
2rom the theoretical part, it is
known already that 'otate
takes a word %a H4byte array&
and rotates it / bit to the left.
Since / bit correspond to one
byte and the array type is
character %whose sie is one
byte&, rotating / bit to the left
corresponds to shifting
cyclically the array values one
to the left.
*he implementation of 'con is
done with respect to the
counter. *he counter is set with
respect to round number and
the 'con value will be
calculated by performing the
multiplication operation
between the input value and
constant value.
*he Iey $"pansion is where it
all comes together. #s you can
see in the pretty big list in the
theory about the 'i(ndael Iey
$"pansion, we need to apply
several operations a number of
times, depending on they key
sie. Iey$"pansion function
basically needs only two
thingsB
o Input cipher key
o =utput e"panded key
#ll the operations should be
applied one after the other on
the H4byte word which does the
complete operation. *he
parameters are the H4byte word
and the iteration counter, on
which 'con depends. Hence
this Iey$"pansion will be
calculated and each -; bytes
will be given to each 'ound.
AES Encryption
*o implement the #$S
encryption algorithm, we
proceed e"actly the same way
as for the key e"pansion, that
is, we first implement the basic
helper functions and then move
up to the main loop. *he
functions take as parameter a
state, which is, as already
e"plained, a rectangular H"H
array of bytes.
*he shift'ows function iterates
over all the rows and then call
shift'ow with the correct
offset. shift'ow does nothing
but to shift a H4byte array by
the given offset.
*his is the part that involves
the roundIey was generated
during each iteration. Here
simply 5=' each byte of the
key to the respective byte of the
state
*he 9i"Columns
implementation was carried out
by first one would generate a
column and then call
mi"Column, which would then
apply the matri" multiplication.
#s you can see in the theory,
one #$S round is the one
which has to apply all four
operations on the state
consecutively. #ll we have to
do is take the state, the
$"pandedIey and the number
of rounds as parameters and
then call the operations one
after the other.
2inally, all we have to do is put
it all together. =ur parameters
are the input plainte"t, the key
of sie keySie and the output.
2irst, we calculate the number
of rounds based on they
keySie and then the
e"pandedIeySie based on the
number of rounds. *hen we
have to map the -; byte input
plainte"t in the correct order to
the H"H byte state %as e"plained
above&, e"pand the key using
our key schedule, encrypt the
state using our main #$S body
and finally un4map the state
again in the correct order in
order to get the -; byte output
cipherte"t.
AES +ecryption
2or the #$S Decryption, the
key schedule stays the same,
the only operations we need to
implement are the inversed
subFytes, shift'ows and
mi"Columns, while
add'oundIey stays the same.
#s you can see, they are nearly
identical to their encryption
e"cept that the rotation this
time is to the right and that we
use the inversed S4Fo" for the
substitution. #s for the inversed
mi"Columns operation, the
only difference is the
multiplication matri" is
different.
2inally, the only thing left to do
is putting it all together in one
inversed main algorithm.
3lease note that we use our
e"panded key backwards,
starting with the last -; bytes
and then moving towards the
start.
*he separate modules were
written for the 1ast 'ound and
other 'ounds. 2rom first round
to ninth round the same module
can be instantiated and for the
last round, a separate module
was used since it doesnt have
the 9i"Columns operation.
*he functional verification was
carried out for all the test cases and
hence the '*1 modeling is taken to the
synthesis process using the 5ilin" tool.
Synthesis .rocess
*he synthesis process will be
carried out by giving the '*1
model as the input to the tool.
*his '*1 modeling re0uires
,irte"4. board for the
implementation.
Hence the ,irte"4. board is
selected and the whole process
flow will be carried out in the
5ilin" tool and finally the FI*
2I1$ is generated which is
used for dumping on the board.
.= SUMMARY
*he implementation
re0uirement which includes the
primary input and primary
output of the design and the
proper notation and
conventions were discussed.
!eneral implementation flow
of the design were represented
and e"plained in order to
understand the proper flow.
Implementation details have
been discussed which includes
implementation style of each
process.
2inally the synthesis process
was discussed which gives that
in which 23!# family, the
design has been implemented.
CHAPTER 0 CHAPTER 0
RESULTS AND DISCUSSION
0.1 INTRODUCTION
*he #$S $ncryption and
Decryption algorithm and the
implementation were discussed in the
previous chapters. )ow this chapter
deals with the simulation and synthesis
results of the implemented #$S
algorithm. Here 9odelsim tool is used
in order to simulate the design and
checks the functionality of the design.
=nce the functional verification is
done, the design will be taken to the
5ilin" tool for Synthesis process and
the netlist generation.
*he #ppropriate test cases have
been identified in order to test this
modeled #$S $ncryption and
Decryption algorithm. Fased on the
identified values as the reference the
plain te"t and the key of -./ bits will
be given as the input to the design and
the obtained cipher te"t should match
the reference result. *his proves that
the modeled design works properly as
per the algorithm.
0.2 SIMULATION RESULTS
*he test bench is developed in
order to test the modeled design. *his
developed test bench will
automatically force the inputs, which
were taken from the reference, and will
make the operations of algorithm to
perform. *he simulated waveforms for
the various cases have been discussed
in this section.
'ASE-4:
Fi!"r# 0.1 Si&"'ati($ R#s"'t (. AES
E$cr%/ti($ a$+ D#cr%/ti($ .(r S#t:1
I$/"ts
*his case deals with the both
encryption and decryption for first set
of plain te"t and a key of -./ bits. *he
basic and common inputs for both
encryption and decryption stage were
clock %clk&, chip enable %ce& and reset
%rst&. *he reset signal is active high,
that is, when the reset signal is set to
high, the system will be in reset state
and hence all the values will be Q8.
=nce the reset signal is set to low, the
system will start its process.
*here is signal >encYdec?
which represents that the system is in
which operation either in encryption or
decryption. Ahen this >encYdec? is set
to high, the encryption process will be
carried out with the given inputs and
when this signal is set to low, the
decryption process will be carried out.
*he two inputs named as >dataYin? and
>keyYin? which takes the given plain
te"t and the key.
Encryption
Here the first sets of inputs are
taken from the reference as follows.
Input N J. HJ f; a/ // :a J8 /d J- J-
6/ a. e8 J7 87 JH
Cipher Iey N .b 7e -: -; ./ ae d. a;
ab f7 -: // 86 cf Hf Jc
*he above inputs were
represented in the he"adecimal format
which contains -; bytes, that is, -./
bits. So when the proper inputs were
given as the input to the system,
>dinYvalid? and >kYen? signals will go
high. *hese signals represents that the
valid data and the proper key is given
to the system. Hence the output of the
encryption process, that is, the cipher
te"t for the given set of inputs is
obtained as follows.
Cipher *e"t N J6 .: /H -d 8. dc 86 fb
dc -- /: 67 -6 ;a 8b J.
+ecryption
*he above cipher te"t, that is,
encrypted data will be given as the
input to the decryption stage and the
same key should be provided.
Input N J6 .: /H -d 8. dc 86 fb dc --
/: 67 -6 ;a 8b J.
Cipher Iey N .b 7e -: -; ./ ae d. a;
ab f7 -: // 86 cf Hf Jc
Here the >dinYvalid? signal will
goes high only after the encryption
process. Hence the decryption process
will be carried out and the final output,
that is, the same plain te"t which is
given as the input to the encryption
stage will be achieved.
2inal =utput N J. HJ f; a/ // :a J8 /d
J- J- 6/ a. e8 J7 87 JH
*hus the simulation result
which is shown in the figure H.- gives
the clear view on the #$S operation
which was e"plained above.
'ASE-5:
In this case, the same operation
as the case4- will be carried out with
other different sets of inputs. Here also
both encryption and decryption process
were clearly represented in the
simulation waveform shown in the
figure H...
Fi!"r# 0.2 Si&"'ati($ R#s"'t (. AES
E$cr%/ti($ a$+ D#cr%/ti($ .(r S#t:2
I$/"ts
Here the inputs such as plain
te"t and the key for the encryption
process were given as follows.
3lain *e"t N 88 -- .. JJ HH :: ;; 77
// 66 aa bb cc dd ee ff
Iey N 88 8- 8. 8J 8H 8: 8; 87 8/ 86
8a 8b 8c 8d 8e 8f
*he signals shown in the
waveform were represents the same
operation as e"plained in the case4-.
Hence the plain te"t and key were
given as inputs to the encryption stage
and the cipher te"t will be obtained as
output which is represented as follows.
Cipher *e"t N ;6 cH e8 d/ ;a 7b 8H J8
d/ cd b7 /8 78 bH c: :a
*he above encrypted data in
turn will be given as the input to the
decryption stage with the same key
which produces the as plain te"t as the
final output.
2inal =utput N 88 -- .. JJ HH :: ;;
77 // 66 aa bb cc dd ee ff
Hence this represents that the
developed #$S $ncryption and
Decryption #lgorithm works with
different set of inputs.
'ASE-6:
*his case deals with the
internal operation of the #$S
$ncryption process and its results at
each stage which has been clearly
represented in the simulation
waveform shown in the figure H.J.
Fi!"r# 0. Si&"'ati($ R#s"'t (.
E$cr%/ti($ 1it) I$t#r$a' O/#rati($
.(r S#t:1 I$/"ts
*he #$S $ncryption algorithm
internally performs the operation such
as substitution, shifting and mi"ing of
columns. #s discussed in the previous
chapter, the operation of each process
will be carried out and hence the
output calculated values will be seen
clearly in the above waveform. So each
round, all the internal operations will
be carried out and finally the
9i"Column value and the key input of
each round will be 5='ed. Hence the
output of the round will be taken as the
input for the ne"t round. In above
waveform, all the internal operation of
round4- and round4. were shown.
Similarly for all the rounds, the same
operations will be carried out with the
evaluated values. Hence at the last
round, that is, round4-8 the final values
will be evaluated and the cipher te"t
will be given out.
'ASE-!:
*he internal operations
involved during the decryption side
were clearly shown in the figure H.H.
*he cipher te"t generated from
encryption will be given as input to the
decryption block and the same kind of
operation as in the encryption process
will be carried out with the different
pre4defined values. In the waveform
round4- and round4. were shown in
which its internal operation and their
results are shown clearly. *he key will
be given as the inverse of the generated
one from the encryption process.
Fi!"r# 0.0 Si&"'ati($ R#s"'t (.
D#cr%/ti($ 1it) I$t#r$a' O/#rati($
.(r S#t:1 I$/"ts
2inally the last round without
9i"Column operation will be carried
out in order to produce the final output,
that is, plain te"t.
'ASE-7:
*his case deals with the
internal operations involved in the both
encryption and decryption with other
set of inputs. *he operation as
e"plained in the case4J and case4H
were same as here, the only difference
is that the input set is modified. Here
we are checking the operations are
carried out properly with different
inputs and the obtained outputs were
matches with the reference values.
Hence the figure H.: shows the
internal operation of the #$S
$ncryption process and the figure H.;
shows that the internal operations
carried out in the #$S Decryption
process. *he waveform clearly
represents the output values of the each
stage which were fed as input to the
ne"t process.
Fi!"r# 0.2 Si&"'ati($ R#s"'t (.
E$cr%/ti($ 1it) I$t#r$a' O/#rati($
.(r S#t:2 I$/"ts
Fi!"r# 0.8 Si&"'ati($ R#s"'t (.
D#cr%/ti($ 1it) I$t#r$a' O/#rati($
.(r S#t:2 I$/"ts
'ASE-8:
In this case, the first set of
inputs is taken and the whole -8
rounds have been carried out.
Fi!"r# 0.= Si&"'ati($ R#s"'t (.
E$cr%/ti($ .(r S#t:1 I$/"ts
2igure H.7 clearly represents all
the rounds and inputs and outputs of
each round. *hus the data at the every
round output will be acting as the input
to the ne"t round. *hese values can be
cross verified with the reference
values.
Fi!"r# 0.6 Si&"'ati($ R#s"'t (.
D#cr%/ti($ .(r S#t:1 I$/"ts
'ase-9:
In this case, the inputs and
outputs of each round for the other set
of inputs were clearly represented in
the figure H.6 and figure H.-8 for the
both encryption and decryption
process.
Fi!"r# 0.F Si&"'ati($ R#s"'t (.
E$cr%/ti($ .(r S#t:2 I$/"ts
Fi!"r# 0.1C Si&"'ati($ R#s"'t (.
D#cr%/ti($ .(r S#t:2 I$/"ts
*hus the simulation result of
the #$S algorithm for both encryption
and decryption were discussed above
in different cases.
0. INTRODUCTION TO
FPGA
23!# stands for 2ield
3rogrammable !ate #rray which has
the array of logic module, I M= module
and routing tracks %programmable
interconnect&. 23!# can be configured
by end user to implement specific
circuitry. Speed is up to -88 9H but
at present speed is in !H.
9ain applications are DS3,
23!# based computers, logic
emulation, #SIC and #SS3. 23!# can
be programmed mainly on S'#9
%Static 'andom #ccess 9emory&. It is
,olatile and main advantage of using
S'#9 programming technology is re4
configurability. Issues in 23!#
technology are comple"ity of logic
element, clock support, I= support and
interconnections %'outing&.
In this work, design of an #$S
$ncryption and Decryption #lgorithm
is made using ,HD1 is synthesied on
23!# family through 5I1I)5 IS$
*ool. *his process includes followingB
*ranslate
9ap
3lace and 'oute
0..1 FPGA FLOW
*he basic implementation of
design on 23!# has the following
steps.
Design $ntry
1ogic
=ptimiation
*echnology
9apping
3lacement
'outing
3rogramming
Knit
Configured
23!#
#bove shows the basic steps
involved in implementation. *he initial
design entry of may be ,HD1,
schematic or Foolean e"pression. *he
optimiation of the Foolean e"pression
will be carried out by considering area
or speed.
Fi!"r# 0.11 L(!ic 3'(c-
In technology mapping, the
transformation of optimied Foolean
e"pression to 23!# logic blocks, that
is said to be as Slices. Here area and
delay optimiation will be taken place.
During placement the algorithms are
used to place each block in 23!#
array. #ssigning the 23!# wire
segments, which are programmable, to
establish connections among 23!#
blocks through routing. *he
configuration of final chip is made in
programming unit.
0.0 SYNTHESIS RESULT
*he developed #$S $ncryption
and Decryption #lgorithm are
simulated and verified their
functionality. =nce the functional
verification is done, the '*1 model is
taken to the synthesis process using the
5ilin" IS$ tool. In synthesis process,
the '*1 model will be converted to the
gate level netlist mapped to a specific
technology library. *his #$S algorithm
design can be implemented on 23!#
%2ield 3rogrammable !ate #rray&
family of ,irte"4.. Here in this ,irte"4
. family, many different devices were
available in the 5ilin" IS$ tool. In
order to implement this #$S design the
device named as >5C.,/888? has
been chosen and the package as
>22-:-7? with the device speed as >4
:?.
*he design of #$S $ncryption
and Decryption #lgorithm is
synthesied and its results are analyed
as follows.
#3, Schematic
*he '*1 %'egister *ransfer
1ogic& can be viewed as black bo"
after synthesie of design is made. It
shows the inputs and outputs of the
system. Fy double4clicking on the
diagram we can see gates, flip4flops
and 9K5.
Fi!"r# 0.12 RTL Sc)#&atic
*he above figure H.-. shows
the top level block diagram that
contains the primary inputs and outputs
of the design.
+evice utili/ation summary:
*his device utiliation includes
the following.
1ogic Ktiliation
1ogic Distribution
*otal !ate count for the Design
*he device utiliation summery
is shown above in which its gives the
details of number of devices used from
the available devices and also
represented in Z. Hence as the result
of the synthesis process, the device
utiliation in the used device and
package is shown above.
3iming Summary:
Speed 'rade: -(
)inimum period: (*.+,-ns
$)aximum .re/uency: ,0.1+2)34%
IN
&
U
T
S
O
U
T&
U
T
S
)inimum input arrival time efore
clock: *2.,25ns
)aximum output re/uired time after
clock: 6.062ns
)aximum cominational path delay:
No path found
In timing summery, details
regarding time period and fre0uency is
shown are appro"imate while
synthesie. #fter place and routing is
over, we get the e"act timing summery.
Hence the ma"imum operating
fre0uency of this synthesied design is
given as -/.678 9H and the
minimum period as :..7-6 ns.
=22S$* I) is the minimum input
arrival time before clock and =22S$*
=K* is ma"imum output re0uired time
after clock.
0.2 SUMMARY
*he developed #$S algorithm
is modeled and is simulated
using the 9odelsim tool.
*he simulation results are
discussed by considering
different cases.
*he '*1 model is synthesied
using the 5ilin" tool in ,irte"4
. and their synthesis results are
discussed with the help of
generated reports.
CHAPTER 2 CHAPTER 2
CONCLUSION AND FUTURE
SCOPE
2.1 CONCLUSION
2irstly, understanding the
concept of cryptology and flow of #$S
algorithm is done. Successful
implementation of #$S algorithm,
make to know one of the encryption
and decryption standard available in
market and it helps to e"plore the path
to implement such an algorithm using
,HD1. 9ainly, the concept of
instantiation and arrays plays a ma(or
part in implementation. *his is a -./4
bit Iey dependent algorithm which has
control over the -./4bit input data or
plainte"t. *he original message is
taken to -8 round operations which
produces the cipherte"t. *his resultant
encrypted data is fed as the input to the
decryption and -8 rounds operations
were carried out and hence the same
plain te"t is achieved. !iven the same
input key and data %plainte"t or
cipherte"t& any implementation that
produces the same output %cipherte"t
or plainte"t& as the algorithm specified
in this standard is an acceptable
implementation of the #$S.
*he simulation results have
been verified for the different
appropriate test cases. 2inally the
developed model is taken to the 5ilin"
tool and done the implementation
using the 23!# family of ,irte"4.
board.
2.2 FUTURE SCOPE
In recent days, #$S %#dvanced
$ncryption Standard& is used which
has increased level of security. *his
work on the #$S $ncryption and
Decryption #lgorithm of -./ bits can
be e"tended in the future in the
following ways.
#s this algorithm supports the
key length of -6. bits and .:;
bits, the work can be e"tended
by increasing the key length
which increases both the
security level to high and also
the difficulties in hacking level.
#lso this work can be e"tended
by developing a switch. *his
switch will be used to switch
the system of key lengths to
either of -./ bits, -6. bits and
.:; bits. *his will be handling
all the three key lengths and the
re0uired process can be carried
out by with respect to the
switch.
APPENDI<:1 APPENDI<:1
STANDARD TA3LES FOR
AES ALGORITHM
K#%:3'(c-:R("$+ C(&bi$ati($s
S:3(7G S"bstit"ti($ 4a'"#s "s#+ i$
E$cr%/ti($ Pr(c#ss
Matri7 4a'"# "s#+ i$ Mi7C('"&$
O/#rati($ i$ E$cr%/ti($ Pr(c#ss
S:3(7G S"bstit"ti($ 4a'"#s "s#+ i$
D#cr%/ti($ Pr(c#ss
Matri7 4a'"# "s#+ i$ Mi7C('"&$
O/#rati($ i$ D#cr%/ti($ Pr(c#ss