TELKOMNIKA, Vol.15, No.1, March 2017, pp. 494~503 ISSN: 1693-6930, accredited A by DIKTI, Decree No: 58DIKTIKep2013 DOI: 10.12928TELKOMNIKA.v15i1.4713  494 Received September 1, 2016; Revised October 18, 2016; Accepted November 21, 2016 High throughput FPGA implementation of Advanced Encryption Standard algorithm Soufiane Oukili 1 , Seddik Bri 2 Materials and Instrumentation MIN, High School of Technology, Moulay Ismail University, Meknes, Morocco. Corresponding author, e-mail: soufiane.oukiligmail.com 1 , briseddikgmail.com 2 Abstract Owing to the worldwide increase of electronic communications and transactions, security and encryption speed have become essential elements of all systems and applications. Advanced Encryption Standard AES is one of the most widely secure and used symmetric encryption algorithms today. In this paper, we present high throughput full-pipelining implementation of AES algorithm, using the least amount of possible hardware. Substitution box S-box is the only non-linear step in this algorithm. It is the most complicated and costly part of the system. Consideration on high delay and hardware cost required for this transformation, we proposed pipelined S-box implementation by using composite field, to deal with the critical path and the occupied memory. In addition, efficient key expansion architecture suitable for our proposed AES design is also presented. The implementation has been successfully done by Virtex-5 XC5VLX85 and Virtex-6 XC6VLX75T Field Programmable Gate Array FPGA devices using Xilinx ISE 14.7. Our high throughput AES design achieves a data encryption rate of 108.69 Gbps and uses only 6361 slices. Compared to the best previous works, this implementation improves data throughput by 5.6 and reduces the occupied memory by 77.69. Keywords: security, Advanced Encryption Standard, high throughput, full-pipelining, S-box, FPGA Copyright © 2017 Universitas Ahmad Dahlan. All rights reserved.

1. Introduction

Cryptography is the main aspect of secure data transmission over unreliable network. It is a challenging issue of data communications today that touches many areas including secure communication channel, strong data encryption technique and trusted third party to maintain the database. Cryptography encompasses many problems: encryption, authentication and key distribution to name a few. An encryption algorithm, or cipher, is a means of transforming plaintext into ciphertext under the control of a secret or public key. Secret key algorithm symmetric cryptography uses the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. Public key algorithm asymmetric cryptography uses pairs of keys: public key for encryption with private key for decryption [1,2]. The Data Encryption Standard DES was the first modern symmetric key algorithm used for encryption and decryption of digital data. It has been developed in the 1970s at IBM and adopted as a Federal Information Processing Standard FIPS by the National Institute of Standards and Technology NIST in 1977 [3]. In 1998, the NIST announced a competition for a new encryption algorithm that would be used for protecting sensitive, non-classified, U.S. government information. This algorithm would replace DES, which was not resistant to known attacks because of the short key length. After all reviews, NIST chose an algorithm known as Rijndael. It was developed by two Belgian cryptographers: Dr. Joan Daemen and Dr. Vincent Rijmen. In November 2001, Advanced Encryption Standard standardized version of Rijndael became a FIPS standard FIPS-197 [4, 5]. There are software and hardware approaches to implement cryptographic AES algorithm. As compared to software implementation, hardware implementation provides greater physical security and higher speed [6]. Low power, high throughput and compactness have always been topic of interest for hardware design and implementation. Because of the increasing requirements for high-speed, high-volume secure communications combined with physical security, the main goal of this paper is to implement high throughput AES design using as less hardware as possible. TELKOMNIKA ISSN: 1693-6930  High throughput FPGA implementation of Advanced Encryption Standard… Soufiane Oukili 495 The S-box substitution is at the core of any AES implementation. It is the only non-linear and complex step in each round of encryption algorithm. The most traditionally implementation used is where all predefined 256 8-bit values of S-box table are stored in various kinds of memories such as ROMs, BRAMs, and LUTs [7,8]. This method can reduce the area cost. However it suffers from unbreakable delay of memories that leads to a reduction in throughput. Another method is based on the calculation of the S-box functions using composite field arithmetic operations. Where it is possible to use pipelining technique to decrease the critical delay and increase the throughput [9,10]. In this paper, we present efficient high throughput hardware architecture design and implementation of 128-bit key AES, using full-pipelining technique. Consequently, each round unit is divided into more sub-stages. By incrementing the number of these sub-stages, the critical path and clock pulse width of system can be decreased and as a result the throughput is increased. In addition, we have proposed pipeline S-box based on composite field, in which the field operations are implemented in lower order fields and by lower cost subfield operations. It is used to avoid the unbreakable delay of memories and to achieve any further increase in processing speed. Moreover, efficient key expansion architecture suitable with the full-pipelined AES round units is presented. Our proposed design is implemented on Xilinx Virtex-5 and Virtex-6 FPGA technology. The FPGAs offer the advantage of hardware speed and software flexibility and programmability. This paper is structured as follows. Section 2 presents a brief background of the AES algorithm. Section 3 gives the relevant works of various authors reported in the literature. Our proposed AES architecture is presented in Section 4. Section 5 provides results and comparison between our implementations and different reported implementations. Finally, conclusion and references are given respectively. 2. Background of AES Algorithm AES algorithm is a symmetric block cipher, in which both the sender and the receiver use a same key for encryption and decryption. The data block length is fixed to be 128 bits and the key length can be 128, 192, or 256 bits. The AES is an iterative algorithm. Each iteration can be called a round, and the total number of rounds is dependent on the key length. The key length is represented by Nk = 4, 6, or 8, which reflects the number of 32-bit words number of columns in the cipher key. The number of rounds is represented by Nr, where Nr = 10 when Nk =4, Nr = 12 when Nk = 6, and Nr = 14 when Nk = 8. The output of each round serves as input of next stage. For each round, 128 bit input data and 128192256 bit key is required. For this paper, 128 bit key is chosen, which requires 10 rounds of encryption. The 128-bit data block is arranged in a 4 × 4 array of bytes called the State, with four rows and four columns consisting of 16 bytes in total. Each round is composed of four different byte-oriented transformations: SubByte, ShiftRow, MixColumn and AddRoundKey except for the last round in which MixColumn transformation is not performed. Apart from this, there is an initial round at the start that consists of only AddRoundKey transformation [2]. Figure 1 shows the 128 bit-key AES algorithm. a. SubByte: operates in each byte of the State independently. Each byte is substituted by the corresponding byte in the S-box. S-box is one of the basic components of any symmetric key algorithm, which exhibits the property of confusion. This property is provided to increase the difficulty in finding the key from the known cipher text. S-box takes M inputs and transforms them to deliver N bits at the output. Fixed S-boxes are used in AES algorithm, which are designed using multiplicative inverse over GF 2 8 and combining the inverse function with an invertible affine transformation. These properties make it efficient over cryptanalysis by providing non-linear properties. b. Shift row: takes the data in the State matrix and circularly shifts each data block left by its row index. c. MixColumn: in this operation, each column of the State is considered as polynomials over GF 2 8 . Then, this vector is multiplied by a fixed polynomial. d. AddRoundKey: takes in a unique round key form the key expansion component and simply performs a bit by bit XOR with each of the bits in the State matrix. The decryption structure of AES algorithm can be derived by inverting the encryption one directly and their rounds require four inverse operations: InvSubByte, InvShiftRow,  ISSN: 1693-6930 TELKOMNIKA Vol. 15, No. 1, March 2017 : 494 – 503 496 InvMixColumn, and AddRoundKey. AES algorithm takes the original main key, and performs a key expansion routine to generate the round keys. In AES-128 bits key, it generates a total of 11 KeyRound of 16 bytes in order to be employed respectively in rounds of AES, taking into account that the first KeyRound is the initial key. Key expansion is also an iterative algorithm with same round number as the AES. The output of each one is the input of the next one. In each round, the first four bytes of the input KeyRound constitute the word w0, the next four bytes the word w1, and so on. The bytes of the final word are left rotated by one position, and then each byte passes thought substitution S-box. The result is XORed with a round constant RConi. Finally, the columns are added together to generate a new 128 bit round key. Figure 2 shows one round of key expansion module. The key expansion is designed to be resistant to known cryptanalytic attacks. The inclusion of a round-dependent round constant eliminates the symmetry, or similarity, between the ways in which round keys are generated in different rounds. Figure 1. 128-bit key AES Algorithm Figure 2. Round i of Key Expansion Module

3. Previous Works