An Optimized S-Box Circuit Architecture for Low Power AES Design

Contents Background Power Analysis of Conventional S-Boxes Multi-Stage PPRM S-Box for Low-Power H/W Conclusion

Back Ground In 2001, NIST selected Rijndael as the newsymmetric key standard cipher AES AES H/W will be integrated in various applications Low-power feature is important not only in low-endapplications but also in high-end servers A 10-Gbps AES H/W chip consumes several Wattsin 0.13-µm CMOS Need for power analysis and development of lowpowerarchitectures for AES H/W

Power Analysis Method Power analysis is based on timing simulation Gate switching including dynamic hazard is evaluated Quite accurate estimation compared with staticanalysisVHDL CodeNet ListWave Formlibrary ieee;use ieee.std_logic;entity XNOR isport (A : in std_logic;B : in std_logic;Y : out std_logic;end XNOR;SynthesisTimingSimulationPowerCalculationarchitecture RTL of XNOR isbeginsignal T : std_logic;T

Power Analysis in AES H/W 128-bit bus 11-round Loop Architecture Table-lookup-based S-Box using SOP logic1 %2:1128Data Input75 %10 %1 %15%OthersData RegisterShiftRowsSubBytesMixColumns3:1AddRoundKeyData Output

For Low-Power AES H/W Reducing S-Box power is most effective There are various S-Box H/W architectures Which architecture is suitable for low power ?Objectives Investigate performance of all conventionalS-Boxes Develop a low-power S-Box architecture

Power Analysis ofConventional S-Boxes

S-Box Definition Nonlinear byte substitution function Multiplicative Inversion on GF(2 8 ) + affinetransformation.b =1 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 11 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 1a -1 +11000110Affine trans.8x8 XOR matrixInversionComplicated math. logic

S-Box ArchitecturesGF inverter + affine Various mathematical techniques can be applied Rather slow Compact implementation S-Box and S-Box -1 can be mergedDirect mapping Generate black box circuit from a truth table High-speed Rather large S-Box and S-Box -1 cannot be merged

GF Inverter + Affine Apply hieratical structure of composite field GF(((2 2 ) 2 ) 2 ) Map elements on GF(2 8 ) onto GF(((2 2 ) 2 ) 2 ) by isomorphism Each component is constructed using AND-XOR logicGF(2 8 )isomorphismGF(((2 2 ) 2 ))2inversionGF(((2 2 ))GF((22 )2)GF(2 2 )GF(2)2 2)44x 2λx -144GF(2 8 )isomorphismmergedaffine trans.-122x 2φx -122

Direct Mapping 2-Level Logic SOP (Sum of Products) : (NOT)-AND-OR POS (Product of Sums) : (NOT)-OR-AND PPRM (Positive Polarity Reed-Muller) : AND-XOR8-bit inputSeveralhundredwiresANDmatrixOR / XORmatrix8-bit output

Direct Mapping Selector-Based Logic BDD (Binary Decision Diagram) Twisted BDD will appear at ICCD 2002 in Sep.in0 in1 in2 in3 in4 in5 in6 in7in0 in1 in2 in3 in4 in5 in6 in7out0out001out1out101out72:1MUXBDDout7TwistedBDD

Power vs. Gate Count Smaller circuits do not always consume less power400Power (uW)350300250200150100500.13-µm 1.5-V CMOS @ 10 MHzNominal conditionsBDDPPRMTwistedBDDCompositePOSField SOP TableLookup00 0.5 1 1.5 2 2.5 3Gate Count (Kgate)

Analysis Power consumption of S-Box is greatlyinfluenced by the number of dynamic hazardsCaused by Differences of signal arrival times at each gate Propagation probability of signal transitions

AnalysisDifferences of signal arrival times at each gate Composite field S-Box consumes a lot of powerin spite of having the smallest size It has many crossing and branched signal pathsSwitch many timesx 2λx -1Multiplesignalpaths

AnalysisPropagation probability of signal transitions An XOR gate transfers signal transitions frominput to output with probability 100% For AND, OR gates, the probability is 50% So power for SOP is lower than PPRM0XOR1100% Probability0AND0150% Probability1OR10

Multi-Stage PPRM S-Boxfor Low-Power H/W

Approach for Low Power S-Box Use composite field S-Box Reduce gate counts Divide combination logic into multiple stages Reduce probability of signal transitions Adjust the signal timing between each stageusing 2-level logic Reduce the number of dynamic hazardsTransition Probability0.5 1.00.5 1.0 0.5 1.0 0.5 1.0ANDarrayXORarray

Multi-Stage PPRM Composite field S-Box is divided into several blocks Each block is designed using PPRM logic suitable forGF operations Adjust signal timing by using 2-level (AND-XOR) logic4844x 2λ4x -1444-1+affine84Delay chain8ANDarrayXORarray428 4 AND XOR 4array array4412 ANDarray432XORarray83-stage PPRM

Multi-Stage PPRM PPRM S-Boxes can be divided many ways (1~6-stages)XOR AND-XOR AND-XOR AND-XOR4844x 2λ-14x -1444+affine8422x 2φx -122AND-XOR AND-XOR AND-XOR

Power vs. Gate Count 3-stage PPRM is the most effective architecture Multi-stage SOP is not suitable for GF operation8007006000.13-µm 1.5-V CMOS @ 10 MHzNominal conditions2-3-Power (uW)50040030020010006-4-3-2-1-stage(normal PPRM)1-stage(normal SOP)0 1 2 3 4 5 6 7Gate Count (Kgate)PPRMSOP

Power vs. Gate Count 3-stage PPRM is the most effective architecture Multi-stage SOP is not suitable for GF operationPower (uW)4003503002502001501005000.13-µm 1.5-V CMOS @ 10 MHzNominal conditionsBDDPPRMCompositePOSField SOP TableLookup3-stage PPRM0 0.5 1 1.5 2 2.5 3Gate Count (Kgate)TwistedBDD1/3 power with 1/2 gates

Conclusion The AES S-Box (SOP logic) consumes 75% ofthe power Dynamic hazards boost power needs of S-Boxes A multi-stage PPRM architecture based on acomposite field S-Box was developed 3-stage PPRM / SOP : Power = 1/3, Size = 1/2 This architecture can be applied to other S-Boxesdefined over Galois fields