Hardware Design and Performance Estimation of The 128-bit Block Cipher CRYPTON

Transcription

1 Hardware Desig ad Performace Estimatio of The 128-bit Block Cipher CRYPTON Eujog Hog, Jai-Hoo Chug, ad Chae Hoo Lim Iformatio ad Commuicatios Research Ceter Future Systems, Ic Yagjae-Dog, Seocho-Ku, Seoul, Korea {ejhog, jhoo, future.co.kr Abstract CRYPTON is a 128-bit block ecryptio algorithm proposed as a cadidate for the Advaced Ecryptio Stadard (AES), ad is expected to be especially efficiet i hardware implemetatio. I this paper, hardware desigs of CRYPTON, ad their performace estimatio results are preseted. Straightforward hardware desigs are improved by exploitig hardware-friedly features of CRYPTON. Hardware architectures are described i VHDL ad simulated. Circuits are sythesized usig 0.35 μm gate array library, ad timig ad gate couts are measured. Data ecryptio rate of 1.6 Gbit/s could be achieved with moderate area of 30,000 gates ad up to 2.6 Gbit/s with less tha 100,000 gates. 1. Itroductio The explosive growth i computer systems ad their itercoectios via etworks has chaged the way we live. From politics to busiess, our lives deped o the iformatio stored ad commuicated usig these systems. This i tur has led to a heighteed awareess of the eed of the iformatio security. To eforce iformatio security by protectig data ad resources from disclosure, a secure ad efficiet ecryptio algorithm is eeded. Sice the widely used ecryptio algorithms, DES or Triple DES, are o more cosidered secure eough or efficiet for future applicatios, a ew block ecryptio algorithm with a stregth equal to or better tha that of Triple DES ad sigificatly improved efficiecy is eeded. Recetly very high badwidth etworkig techologies such as ATM ad Gigabit Etheret are rapidly deployed [1]. Network applicatios such as virtual private etwork [2] eed high-speed executios of ecryptio algorithms for high-speed etworks. I order to utilize the high-speed etworks at lik speed, ecryptio speed as fast as 1 Giga bits per secod is required. Accordig to our experimet, the executio speed of Triple DES o Itel Petium-II, 333MHz is oly 19.6Mbps, ad the highest performace of Triple DES from the commercially available ecryptio hardware is about 200 Mbps [3, 4]. CRYPTON [5, 6] is a 128-bit block ecryptio algorithm proposed as a cadidate for the Advaced Ecryptio Stadard (AES) [7]. I the evaluatio performed by NIST, its software implemetatio o Petium- Pro, 200MHz showed about 40Mbps, the best ecryptio ad decryptio speeds amog the AES cadidates [8]. Hardware implemetatios of CRYPTON are expected to be more efficiet tha software implemetatios - 1 -

2 because it was desiged from the begiig with hardware implemetatios i mid. The ecryptio ad decryptio use the idetical circuitry, ad there eeds o large logic for S-boxes. Moreover it does ot use additio or multiplicatio but oly uses exclusive-or operatios, ad the exclusive-or operatios ca be executed i parallel. CRYPTON is cosidered as the most hardware-friedly AES cadidate o several researches [9-11]. I this paper, hardware desigs of CRYPTON Versio 1.0 [6], which were optimized by exploitig the hardware-friedly features of CRYPTON, are preseted. To maximize operatio parallelism, key geeratio ad data ecryptio operatios are executed simultaeously. Some roud loops ca be urolled for speedup without icreasig the quatity of logic. S-boxes used for both key schedulig ad data ecryptio are shared to miimize the area. Hardware architectures are described i VHDL ad simulated usig Syopsys Compiler ad Simulator. Circuits are sythesized usig 0.35 μm gate array library, ad timig ad gate couts are measured. This paper is orgaized as follows. I Sectio 2, CRYPTON algorithm is briefly itroduced. I Sectio 3, our desig cosideratios of CRYPTON hardware are described. I Sectio 4 ad 5, the detailed hardware desigs of CRYPTON ad estimatio results are preseted respectively. Cocludig remarks are made i Sectio CRYPTON Algorithm I CRYPTON, each data block of 128 bits is processed i the form of a 4 4 byte array. The roud trasformatio of CRYPTON cosists of four steps: byte-wise substitutios, colum-wise bit permutatio, colum-to-row traspositio, ad the key additio. The ecryptio process ivolves 12 repetitios of the same roud trasformatio. The decryptio process ca be made idetical to the ecryptio process with a differet key schedule. Figure 1 shows the high level structure of CRYPTON. 256-bit User Data Iput : 4 32-bit words Schedule Roud K 0 Roud keys K i (i = ) iitial key additio Additio repeat this roud fuctio 12 times Byte Substistutio Bit Permutatio ad Byte Traspostio Additio Output Trasformatio Byte Traspositio Bit Permutatio Byte Traspositio Data Ecryptio Data Output : 4 32-bit words Figure 1. The Structure of CRYPTON. The block cipher CRYPTON has the followig features: 12-roud self-reciprocal cipher (with idetical processes for ecryptio ad decryptio) with block legth 128 bits ad key legth up to 256 bits. Strog security agaist existig attacks

3 Efficiecy i both SW ad HW: thaks to the high degree of parallelisms ad the use of oly very simple operatios (logical ANDs/XORs, rotates, ad table lookups), CRYPTON rus very fast o most platforms i software as well as i hardware. Wide tradeoffs betwee speed ad memory: It ca be implemeted usig the storage of 32, 256, 1K, 4K, 16K or 512K bytes, etc. Its speed o Petium Pro 200 MHz rages from 54 Mbps (i C) to 64 Mbps (i i-lie ASM). Fast key schedulig: The ecryptio key schedule rus much faster tha oe-block ecryptio, so it is very efficiet for use i the applicatio requirig frequet key chages (e.g., i hashig mode). 2.1 Basic Buildig Blocks Byte Substitutio γ CRYPTON uses a oliear byte substitutio usig four 8 8 S-boxes, S i (0 i 3). These S-boxes are derived from oe 8 8 ivolutio S-box S (i.e., S = S -1 ) ad satisfy the iverse relatioships S 2 = S -1-0 ad S 3 = S 1 1. The ivolutio S-box S was desiged to eable efficiet logic implemetatio (see [6] for details). The S-box trasformatio γ cosists of byte-wise substitutios o a 4 4 byte array. Two differet trasformatios are used alteratively i successive rouds: γ ο i odd rouds ad γ e i eve rouds. They are depicted i Figure 2. Observe that the four S-boxes are arraged so that the followig holds for ay 4 4 byte array A: γ ο (γ e (A)) = γ e (γ ο (Α)) = Α. This property is used to derive the idetical process for ecryptio ad decryptio. A[0] a 03 a 02 a 01 a 00 B[0] S 3 (a 03 ) S 2 (a 02 ) S 1 (a 01 ) S 0 (a 00 ) A[1] a 13 a 12 a 11 a 10 γ o B[1] S 0 (a 13 ) S 3 (a 12 ) S 2 (a 11 ) S 1 (a 10 ) A[2] a 23 a 22 a 21 a 20 B[2] S 1 (a 23 ) S 0 (a 22 ) S 3 (a 21 ) S 2 (a 20 ) A[3] a 33 a 32 a 31 a 30 B[3] S 2 (a 33 ) S 1 (a 32 ) S 0 (a 31 ) S 3 (a 30 ) A[0] a 03 a 02 a 01 a 00 B[0] S 1 (a 03 ) S 0 (a 02 ) S 3 (a 01 ) S 2 (a 00 ) A[1] a 13 a 12 a 11 a 10 γ e B[1] S 2 (a 13 ) S 1 (a 12 ) S 0 (a 11 ) S 3 (a 10 ) A[2] a 23 a 22 a 21 a 20 B[2] S 3 (a 23 ) S 2 (a 22 ) S 1 (a 21 ) S 0 (a 20 ) A[3] a 33 a 32 a 31 a 30 B[3] S 0 (a 33 ) S 3 (a 32 ) S 2 (a 31 ) S 1 (a 30 ) Figure 2. The Byte Substitutio γ Bit Permutatio π ad Byte Traspositio τ As liear trasformatios, CRYPTON uses a sequece of bit permutatio ad byte traspositio. The bit permutatio π mixes each byte colum i 4 4 byte array ad the byte traspositio τ trasposes the resultig byte colums ito byte rows. Let us first defie four maskig vectors (M 3, M 2, M 1, M 0 ) for bit extractio used i π as M 0 = m 3 m 2 m 1 m 0 = 0x3fcff3fc, M 1 = m 0 m 3 m 2 m 1 = 0xfc3fcff3, - 3 -

4 M 2 = m 1 m 0 m 3 m 2 = 0xf3fc3fcf, M 3 = m 2 m 1 m 0 m 3 = 0xcff3fc3f, where m 0 = 0xfc, m 1 = 0xf3, m 2 = 0xcf, m 3 = 0x3f. To make the ecryptio ad decryptio processes idetical, two slightly differet versios of a bit permutatio is used; π ο i odd rouds ad π e i eve rouds. They are defied as follows: Bit permutatio π o for odd rouds: B = π o (A) defied by B[0] (A[3] M 3 ) (A[2] M 2 ) (A[1] M 1 ) (A[0] M 0 ), B[1] (A[3] M 0 ) (A[2] M 3 ) (A[1] M 2 ) (A[0] M 1 ), B[2] (A[3] M 1 ) (A[2] M 0 ) (A[1] M 3 ) (A[0] M 2 ), B[3] (A[3] M 2 ) (A[2] M 1 ) (A[1] M 0 ) (A[0] M 3 ). Bit permutatio π e for eve rouds: B = π e (A) defied by B[0] (A[3] M 1 ) (A[2] M 0 ) (A[1] M 3 ) (A[0] M 2 ), B[1] (A[3] M 2 ) (A[2] M 1 ) (A[1] M 0 ) (A[0] M 3 ), B[2] (A[3] M 3 ) (A[2] M 2 ) (A[1] M 1 ) (A[0] M 0 ), B[3] (A[3] M 0 ) (A[2] M 3 ) (A[1] M 2 ) (A[0] M 1 ). Note that i hardware each bit of π outputs requires oly exclusive-ors of three differet bits. The byte traspositio τ simply rearrages a 4 4 byte array by movig the byte at the (i, j)-th positio to the (j, i)-th positio (See Figure 3 for B = τ(α) ). A[0] a 03 a 02 a 01 a 00 B[0] a 30 a 20 a 10 a 00 A[1] a 13 a 12 a 11 a 10 τ B[1] a 31 a 22 a 11 a 01 A[2] a 23 a 22 a 21 a 20 B[2] a 32 a 22 a 12 a 02 A[3] a 33 a 32 a 31 a 30 B[3] a 33 a 23 a 13 a 03 Figure 3. The Byte Traspositio τ Additio σ mixig is performed by simply exclusive-orig roud keys with data words. That is, for a roud key K = (K[3], K[2], K[1], K[0]) t, B = σ Κ (A) is defied by B[i] = A[i] K[i] for i = 0, 1, 2, Roud Trasformatio ρ Oe roud of CRYPTON cosists of applyig i sequece S-box trasformatio, bit permutatio, byte traspositio ad key additio. That is, the ecryptio roud fuctios used for odd ad eve rouds are defied (for roud key K) by ρ οκ = σ Κ τ π ο γ ο ρ eκ = σ Κ τ π e γ e for r = 1, 3,... etc., for r = 2, 4,... etc. 2.2 Ecryptio ad Decryptio The ecryptio trasformatio E K of r-roud CRYPTON uder key K cosists of a iitial key additio ad r/2 times repetitios of ρ ο ad ρ e ad the a fial output trasformatio. Ecryptio ad decryptio ca be - 4 -

5 performed by the same code (logic) if differet roud keys are applied. 2.3 Schedulig r-roud CRYPTON requires total 4(r 1) roud keys each of 32-bit legth. These roud keys are geerated from a user key of 8k (k = 0,1,...,32) bits i two steps: first oliear trasform the user key ito 8 expaded keys ad the geerate the required umber of roud keys from these expaded keys usig simple operatios. This two-step geeratio of roud keys is to allow efficiet o-the-fly roud key computatio i the case where storage requiremets do ot allow storig the whole roud keys. For details of CRYPTON algorithm, please refer to [6]. 3. Desig Cosideratios 3.1 Parallel Executio of Geeratio ad Ecryptio Some block ciphers pre-compute roud keys ad store them. The the stored keys are used repeatedly while ecryptig. This style eeds extra cycles for key setup, ad large storage if all 12 roud keys of 128-bit legth are to be stored. However, CRYPTON ca geerate keys simultaeously with ecryptio. The time it takes to geerate a roud key of CRYPTON is isigificat compared to the time it takes for a roud trasformatio, ad this makes it possible to geerate roud keys with the ecryptio proceedig. The parallel operatio of hardware CRYPTON is illustrated i Figure 4. User Data Iput K1 Geeratio K 1 Roud 1 Trasformatio K2 Geeratio K 2 Roud 2 Trasformatio K12 Geeratio K 12 Roud 12 Trasformatio Data Output Figure 4. Cocurret Operatio of Hardware CRYPTON. 3.2 Loop Urollig Because CRYPTON cosists of 12 repetitios of roud trasformatio, iteratio is a ievitable choice for small area desigs. Rather tha buildig every roud trasformatio separately, a data flow is made to pass the same hardware block repeatedly. We ca build the whole ecryptio with oly a small, basic buildig block by exploitig iteratio. The block diagram for 12-cycle iteratio is show i Figure 5(a)

6 MUX MUX Eve Roud Trasformatio MUX Odd Roud Trasformatio Loop Urollig Odd Roud Trasformatio Eve Roud Trasformatio Register Register X 12 cycles (a) X 6 cycles (b) Figure 5. Loop Urollig. Although iteratio results i small area desigs, it accompaies additioal path delay take from multiplexer ad register. To reduce the umber of pass through multiplexer ad register, we ca uroll the loop so that oe cycle cotais double or may times of the roud trasformatio logic. I Figure 5(b), two roud trasformatios are performed i a cycle, but the umber of compoets icluded i the desig is oe multiplexer less tha that of Figure 5(a). We ca fid that the desig i Figure 5(b) has better speed ad area tha the desig i Figure 5(a). CRYPTON has a good tradeoff betwee speed ad area whe 2, 3, 4, 6, or 12 rouds are cocateated i a loop. 3.3 Commo Logic Sharig CRYPTON has oly a few simple operatios as its compoets. Because the compoets appear i several differet parts of the algorithm, we ca make those parts share a commo logic block rather tha buildig may separate logic blocks. Commo logic sharig will cotribute to area reductio oly if the commo compoets have smaller area tha the multiplexer added. Otherwise it will oly result i icreased cotrol burde ad loger path delay. Data Iput Data Iput Logic B User Logic B User MUX Byte Substitutio Byte Substitutio Commo Logic Sharig Byte Substitutio Logic A Roud Logic C Logic A Roud Logic C Data Output Data Output Schedulig Module Ecryptio Module Schedulig Module Ecryptio Module (a) Figure 6. Commo Logic Sharig. (b) CRYPTON has byte substitutio operatio both i key schedulig module ad ecryptio module. Because byte substitutio charges a sigificatly larger area tha 128 2:1 multiplexers, there is a beefit of adoptig commo logic sharig as show i Figure

7 4. Hardware Desig of CRYPTON I this sectio we propose two hardware desigs of CRYPTON. 4.1 Two-Roud Model Two-roud model performs two successive trasformatios for eve ad odd rouds withi a clock cycle. Tworoud model is efficiet i area-speed tradeoff as we saw i Sectio 3.2, ad it has smaller area tha desigs with 3, 4, 6, or 12 rouds cocateated. Two-roud model cosists of three modules: ecryptio module, key schedulig module, ad cotrol module as show i Figure 9. The followig scheme describes how two-roud model works. (1) Load 128-bit iput data at DATA_IN port, ad 256-bit user key at USER_KEY port. (2) If decryptio is to be performed, apply logic high o DECR port util the ecryptio is fiished. (3) Start ecryptio by applyig logic high pulse for oe clock cycle at the START port. (4) Check the output port DONE to see if the ecryptio is completed. (5) If DONE port outputs logic high, read the ecryptio result through output port DATA_OUT. The 12-roud ecryptio process eeds 13 roud keys; from the roud 0 key to the roud 12 key. Geeratig 13 roud keys will take 7 clock cycles because two-roud model computes two keys withi a clock cycle. Thus the result is available 7 clock cycles later after logic high o START port is latched at the risig edge of clock. Eve Roud Iput : 4 32-bit words M0 M if (roud == 0) M0, else M (128 of 2:1 mux) Eve Roud U Iput : 4 32-bit words M0 if (the 0th roud) M0, else M (128 of 2:1 mux) A M Byte Substitutio, odd if (expasio cycle) U, else A (128 of 2:1 mux) Bit Permutatio, odd Byte Traspositio Byte Substitutio, odd Bit Permutatio, odd Odd Roud 128-bit register Ur Ko Byte Traspositio Byte Substitutio, eve Bit Permutatio, eve Byte Traspositio V 128-bit register B if (expasio cycle) V, else B (128 of 2:1 mux) Byte Substitutio, eve Bit Permutatio, eve Byte Traspositio Byte Traspositio Bit Permutatio, eve Vr Byte Traspositio Byte Traspositio Output: 4 32-bit words Bit Permutatio, eve Byte Traspositio Output : 4 32-bit words (a) (b) Figure 7. Ecryptio Module of Two-Roud Model - 7 -

8 Figure 7(a) shows the ecryptio module of two-roud model. I ecryptio module, two blocks for eve roud trasformatio ad odd roud trasformatio are cascaded serially, but the sequece of blocks i Figure 7(a) is somewhat differet from that of Figure 1. Because roud 0 has uiqueess that oly key additio is performed i it, it will require extra 128 two-iput exclusive-or gates if we did t take the sequece show i Figure 7(a). The block diagram for key schedulig module is depicted i Figure 8. schedulig module coveys two successive roud keys to the ecryptio module at every clock cycle. Oe of our desig priciples is parallel executio metioed i Sectio 3.1, ad we do t adopt ay roud-key pre-computatio style for speed ehacemet. There is desig cocer i the fial stage of roud-key computatio. A roud key is exclusive-or sum of a roud-costat, maskig costats, ad expaded keys. There are oly 4 maskig costats that ca be easily built ito combiatio logic, ad expaded keys are ukow before the roud, thus we have o desig choices about them. But there are as may as 13 roud-costats of 32-bit legth, ad oe should decide if he will build wired logic out of pre-computed roud-costats, or make the desig compute the costats from the specified equatio at each clock cycle. Computatio of costats i fully parallelized desig like Figure 8 eeds at least 4 32-bit adders ad two 32-bit registers. O the other had usig wired logic for the 13 costats itroduces a little loger propagatio delay i key computatio. Because two-roud model aims at small area, implemetatio with wired logic is chose. User Geerate s for Ecryptio Modify s for Decryptio EeL0 EdL0 EeH0 EdH0 if (roud == 0) EeL0, else EL (128 of 2:1 mux) if (roud == 0) EdL0, else EL (128 of 2:1 mux) if (roud < 2) EeH0, else EH (128 of 2:1 mux) if (roud < 2 ) EeH0, else EH (128 of 2:1 mux) the First 4 s for ecryptio the first 4 s for decryptio the Latter 4 s for ecryptio the Latter 4 s for decryptio exteel extedl if (ecryptio) exteel, else extedl (128 of 2:1 mux) exteeh extedh if (ecryptio) exteeh, else extedh (128 of 2:1 mux) register at the risig clock edge of eve rouds EL EL Eve Roud Eve Roud for Ecryptio for Decryptio Ka Kb if (ecryptio) Ka, else Kb (128 of 2:1 mux) register at the risig clock edge of odd rouds EH Odd Roud for Ecryptio Kc EH Odd Roud for Decryptio Kd if (ecryptio) Kc, else Kd (128 of 2:1 mux) Eve Roud Odd Roud Figure 8. Schedulig Module of Two-Roud Model. The most uwieldy part i CRYPTON might be the oliear substitutio, γ. γ cosists of byte-wise substitutio o a 4 4 byte array, i other words etry tables. As Figure 7(a) shows, ecryptio module must have two γ s because γ is distict for odd rouds ad eve rouds. I additio, key schedulig module has - 8 -

9 two γ s for user key expasio, which is used oly oce whe a ew user key is set. Seeig that most of the other operatios takes comparatively small area, icorporatig separate γ s for key expasio looks very mismatched for its rare usage. This lack of balace ca be corrected by sharig γ s betwee the expasio block of key schedulig module ad roud trasformatio block of ecryptio module. This scheme effectively reduces the total area but eeds oe more clock cycle oly for key expasio whe ew expaded keys are to be computed. Figure 7(b) shows the ew block diagram for ecryptio module with γ sharig. I Figure 7(b), outputs Ur ad Vr are fed to the iputs of two 128-bit registers ad stored i them. Those stored values i the registers are used repeatedly for geeratio of roud keys uless a ew user key is set. The key schedulig area also has chage i expasio block. schedulig area takes U ad V [6] the outputs of expaded key registers as iputs, ad performs operatios later tha γ. Combiig ecryptio module ad key schedulig module, the whole ecryptio block is built as show i Figure 9. I Figure 9, Cycle0 is a sigal idicatig the key expasio cycle, ad Cycle1 tells the first cycle amog 7 is goig o. Both sigals are used as cotrol iputs for multiplexers. DATA_IN USER_KEY CLK Separate ito U,V Cycle0 U V Ecryptio Module DATA_OUT Cycle1 Ur 128-bit Register Vr 128-bit Register Ke Ko RESET START Cotrol Module Roud[2:0] U' V' DECR Schedule Module DONE Figure 9. Hierarchical View of Two-Roud Model. 4.2 Full-Roud Model To make a fast desig, pipeliig or loop urollig ca be geerally applied. I pipeliig, the algorithm is partitioed ito several stages, ad this eables several data blocks to be ecrypted simultaeously. This is possible i ECB mode because each result of block ecryptio is idepedet from others. But modes except ECB require the previous result of ecryptio to be available to complete the preset ecryptio, which makes pipeliig useless. Sice most of the recet applicatio of block ciphers use chaiig or feedback mode, speed ehacemet through pipeliig is ot cosidered here. Istead we make full-roud model with 12 rouds fully urolled. This full-roud model computes 12 rouds of trasformatio without loopig, ad it is the fastest but the largest desig amog those exploitig loop-urollig. The loop urollig of 4 or 6 will have just itermediate values of area ad speed betwee those of two-roud model ad full-roud model. Block diagrams for full-roud model are straightforward ad show i Figure 10, Figure 11 ad Figure

10 Iput : 4 32-bit words K0 Byte Substistutio, odd Bit Permutatio, odd Byte Traspositio K1 Byte Substistutio, eve Bit Permutatio, eve Byte Traspositio K2 Byte Substistutio, eve Bit Permutatio, eve Byte Traspositio K12 Byte Traspositio Bit Permutatio, eve Byte Traspositio Output : 4 32-bit words Figure 10. Ecryptio Module of Full-Roud Model. XOR for User Expasio Expasio for Decryptio Kd0 Roud-0 Roud-1 Roud-0 Roud-1 Ke0 MUX K0 Ke0 s s Ke1 Kd0 s s Kd1 Kd1 Roud-2 Roud-3 Roud-2 Roud-3 Ke1 MUX K1 Ke2 Ke4 Ke6 Roud-4 Roud-6 s s s s s s Roud-5 Roud-7 Ke3 Ke5 Ke7 Kd2 Kd4 Kd6 Roud-4 Roud-6 s s s s s s Roud-5 Roud-7 Kd3 Kd5 Kd7 Kd12 Ke12 MUX K12 Roud-8 Roud-9 Roud-8 Roud-9 Ke8 s s Ke9 Kd8 s s Kd9 Roud-10 Roud-11 Roud-10 Roud-11 Ke10 s Ke11 Kd10 s Kd11 Roud-12 Roud-12 Ke12 Kd12 Figure 11. Schedulig Model of Full-Roud Model

11 I key schedulig module of Figure 11, roud-key output K for the th roud will be Ke if ecryptio is performed, ad Kd if decryptio is performed. To achieve high speed, commo logic sharig i expasio block is ot adopted here. Full-roud model tells us area cost of the early pure algorithm because it does t eed ay registers or cotrol uit. But the 12 multiplexers i key schedulig area could ot be removed. INPUT DATA USER KEY ENC/DEC Schedulig Module K0 K1 K2 K3 K4 K5 K6 K7 K8 K9 K10 K11 K12 Ecryptio Module OUTPUT DATA Figure 12. Hierarchical View of Full-Roud Model. 5. Estimatio Results Our estimatios are all based o Syopsys DesigCompiler ad Hyudai 0.35 μm gate array library. Table 1 shows area ad speed of two-roud model ad full-roud model each with two speed-area tradeoffs. I this paper, all estimatios are for typical cases. Gate meas a 2-iput NAND gate, equivalet to 4 trasistors. Table 1. Speed ad Area Estimatios of Hardware CRYPTON. Two-roud model Full-roud model Estimated items Area critical Speed critical Area critical Speed critical Gate cout total gates 18,322 28,179 46,259 93,929 (Cell Area) ecryptio module 8,267 17,958 33,598 74,857 key schedulig module 7,930 8,078 12,661 19,072 Miimum clock period (T clk ) s s s s setup time o the fly o the fly s 7.91 s Time to switch keys s s s 6.13 s Time to ecrypt oe block s s s s (7 T clk ) (7 T clk ) Throughput 898Mbps * 1.66Gbps ** 1.61Gbps ** 2.69Gbps ** * 1Mbps = 1,024 1,024 bps = 1,048,576 bps ** 1Gbps = 1,024 1,024 1,024 bps = 1,073,741,824 bps The two results for two-roud model have idetical logic desig, but are differet oly i optimizatio strategies. The oe idicated as Area Critical was optimized to reduce as much area as possible. O the other had, the result of Speed Critical was obtaied by miimizig the clock period. As show i Time to switch keys, oe clock is spet o expadig the user key whe the user key is switched to a ew value. Sice the desig uses oe clock source for its whole area, the time to switch keys will be at least miimum clock period, but the actual propagatio delay i key expasio is less tha the miimum clock period. Roud keys are geerated o the fly, ad if the user keys remai same, 7 clock cycles are eeded for both ecryptio ad

12 decryptio. The same optimizatio strategies were applied to full-roud model. However, i speed critical optimizatio, the path from data iput to the fial output was optimized rather tha miimizig the clock period as i tworoud model. Although results of full-roud model were etered ito the same format of table with two-roud model, the umbers should ot be compared directly because the two desigs have differet architectures. The followig three explaatios qualify the meaig of each item for full-roud model. Time to switch keys: time from the isertio of a ew user key to the geeratio of the roud 0 key (this is because time take to compute the ext roud key is much shorter tha time to compute oe roud trasformatio. By the time γ operatio of 1 st roud has bee performed, all roud keys from 1 st roud to 12 th roud are available). setup time: time eeded to compute the whole 12 roud keys. Time to ecrypt oe block: The logest path delay from data iput to the fial data output (it is the time take to ecrypt oe block whe all roud keys are set up ad ready to be used). I two-roud model, Total Area is larger tha the sum of ecryptio module ad key schedulig module because area of buffer for expaded keys ad cotrol uit is missig. Full-roud model does t have ay extra logic except ecryptio module ad key schedulig module, ad thus the sum is exactly matched. Two mai issues i logic desig are speed ad area. Because speed ad area are objects of tradeoff i most cases, we ca get the best results o oe criterio by optimizig for it while igorig the other. O the other had, the result is the worst oe for the igored criterio. We ca fid the approximate upper ad lower bouds of speed ad area of CRYPTON by oce optimizig for area ad the for speed. The mai trade-off betwee space ad time takes place i optimizatio of S-box. We could obtai as high speed as 2.6Gbps by growig the area of S-box, but the total umber of gates was over 90,000. Resortig to speed-area tradeoff, two-roud model faster tha full-roud model was possible cotrary to our iitial scheme of usig loop urollig to make a fast desig. I our estimatio, two-roud model was foud more moderate ad practical both i area ad speed tha full-roud model. Although optimizatio i the sythesis tool was very useful to achieve a goal i speed or area, a better result was possible by modifyig the desig itself. 6. Coclusios I this paper, we desiged ad proposed two hardware architectures of CRYPTON exploitig the iheret hardware-friedly features of CRYPTON. The architectures were described i VHDL ad circuits were sythesized usig 0.35 μm gate array with several speed-area tradeoffs. 0.9 Gbps with the smallest area of 18,000 gates ad the fastest speed of 2.6 Gbps with less tha 100,000 gates could be achieved. The speed of 2.6 Gbps is faster tha the commercially available fastest Triple-DES chip with a order of magitude. This is eough speed to support the Gigabit etworks. Sice CRYPTON has good scalability i gate cout, a desiger ca select a proper speed-area tradeoff from the large set choices

13 Refereces 1. L. Geppert ad W. Sweet, Techology 1999 Aalysis & Forcast Commuicatios, IEEE Spectrum, Jauary 1999, pp D. Kosiur, Buildig ad Maagig Virtual Private Networks, Wiley, Aalog Devices, ADSP-2141L SafeNet DSP Prelimiary Techical Data Sheet, REV.PrA, February VLSI Techology, VMS115 IPSec Coprocessor Data Sheet, Rev2.0, Jauary C.H. Lim, CRYPTON: A New 128-bit Block Cipher, Proceedigs of the First Advaced Ecryptio Stadard Cadidate Coferece, (Vetura, Califoria), Natioal Istitute of Stadards ad Techology (NIST), August C.H. Lim, A Revised Versio of CRYPTON CRYPTON Versio 1.0, Proceedigs of the 1999 Fast Software Ecryptio Workshop, March NIST, Request for Cadidate Algorithm Nomiatios for the Advaced Ecryptio Stadard (AES), Federal Register, Vol.62, No.177, September 12, M. Smid ad E. Roback, Developig the Advaced Ecryptio Stadard, Proceedigs of the 1999 RSA Coferece, Jauary E. Biham, A Note o Comparig the AES Cadidates, Proceedigs of the Secod Advaced Ecryptio Stadard Cadidate Coferece, (Rome, Italy), Natioal Istitute of Stadards ad Techology (NIST)", March C.S.K. Clapp, Istructio-level Parallelism i AES Cadidates, Proceedigs of the Secod Advaced Ecryptio Stadard Cadidate Coferece, (Rome, Italy), Natioal Istitute of Stadards ad Techology (NIST)", March B. Scheier, et. al., Performace Compariso of the AES Submissios, Proceedigs of the Secod Advaced Ecryptio Stadard Cadidate Coferece, (Rome, Italy), Natioal Istitute of Stadards ad Techology (NIST)", March