TY - GEN
T1 - Hardware Implementation of AES Using Area-Optimal Polynomials for Composite-Field Representation GF(24)2 of GF(28)
AU - Gueron, Shay
AU - Mathew, Sanu
N1 - Publisher Copyright: © 2016 IEEE.
PY - 2016/9/7
Y1 - 2016/9/7
N2 - This paper discusses the question of optimizing AES hardware designs, by using the composite field representation GF(24)2 of the field GF(28), that underlies the definition of AES. Here, GF(24)2 is the field extension of the ground field GF(28) with an extension polynomial of the form x2+αx+β, where α and β are elements of field GF(24). Previous designs with such representations used α = 1, which seemingly leads to some obvious savings. By contrast, we seek the optimal designs amongall the possibilities. Our designs are based on mapping the input, output, round keys, and the AES operations to and from any one of the 2880 possible representations of (28) as (24)2. For each representation, we also explore three options for the affine/invaffine constants, resulting in a total of 8640 possible designs. We identify the smallest area representations for AES encryption-only, decryption-only, and for unified encryption-decryption. Surprisingly, the optimal representations in each case are different from each other. In addition, we identify six distinct representations that are optimal, based on operating-mode and AES pipeline depth. Among other results, we show here a set of high-bandwidth 16-byte AES datapaths with the extension polynomials of the form x2+αx+β where α ≠ 1, showing that the a-priori obvious choice of using α = 1, does not necessarily lead to the best result. We provide the full details of all the designs possibilities, together with their respective area, based on 22nm CMOS implementation.
AB - This paper discusses the question of optimizing AES hardware designs, by using the composite field representation GF(24)2 of the field GF(28), that underlies the definition of AES. Here, GF(24)2 is the field extension of the ground field GF(28) with an extension polynomial of the form x2+αx+β, where α and β are elements of field GF(24). Previous designs with such representations used α = 1, which seemingly leads to some obvious savings. By contrast, we seek the optimal designs amongall the possibilities. Our designs are based on mapping the input, output, round keys, and the AES operations to and from any one of the 2880 possible representations of (28) as (24)2. For each representation, we also explore three options for the affine/invaffine constants, resulting in a total of 8640 possible designs. We identify the smallest area representations for AES encryption-only, decryption-only, and for unified encryption-decryption. Surprisingly, the optimal representations in each case are different from each other. In addition, we identify six distinct representations that are optimal, based on operating-mode and AES pipeline depth. Among other results, we show here a set of high-bandwidth 16-byte AES datapaths with the extension polynomials of the form x2+αx+β where α ≠ 1, showing that the a-priori obvious choice of using α = 1, does not necessarily lead to the best result. We provide the full details of all the designs possibilities, together with their respective area, based on 22nm CMOS implementation.
KW - AES
KW - Advanced Encryption Standard
KW - Area-efficient Hardware accelerator
KW - Memory encryption engines
KW - optimal GF(2) composite-field representation
UR - http://www.scopus.com/inward/record.url?scp=84988938364&partnerID=8YFLogxK
U2 - 10.1109/ARITH.2016.32
DO - 10.1109/ARITH.2016.32
M3 - Conference contribution
T3 - Proceedings - Symposium on Computer Arithmetic
SP - 112
EP - 117
BT - Proceedings - 2016 IEEE 23rd Symposium on Computer Arithmetic, ARITH 2016
A2 - Hormigo, Javier
A2 - Revol, Nathalie
A2 - Montuschi, Paolo
A2 - Oberman, Stuart
A2 - Schulte, Michael
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 23rd IEEE Symposium on Computer Arithmetic, ARITH 2016
Y2 - 10 July 2016 through 13 July 2016
ER -