The Study of GF (2 4 ) 2 AES Encryption for Wireless FPGA Node

Transcription

1 The Study of GF (2 4 ) 2 AES Encryption for Wireless FPGA Node W.Suntiamorntut 1, W. Wittayapanpracha Computer Engineering Department, Faculty of Engineering, Prince of Songkla University Hatyai Songkhla Thailand wannarat@coe.psu.ac.th Abstract This paper presents the results of our study in the energy efficient AES encryption using S-box based on Galoisfield (GF) aiming for a wireless FPGA node. The mapped composite-field GF(2 4 ) 2 has been applied to compute S-box. In order to implement the energy efficient AES on FPGA for wireless sensor networks application, the several architectures such as pipelining and parallelism AES have been compared and analyzed. The low power design technique named gating is also applied to enable the necessary logics. By using this technique, we can gain the power saving about 19 percentages. In addition, the AES based on GF(2 4 ) 2 gives the throughput per milli-watts better than the AES based on LUT about 33 percentages. From the results, the AES based on GF (2 4 ) 2 has been therefore chosen to build on a wireless reconfigurable node instead of using a basic structure; LUT in FPGA. Keywords AES; Galois field (GF); FPGA; Wireless Sensor Networks I. INTRODUCTION Wireless sensor networks technology [1] has been introduced and widely used since the early Many applications such as precision agriculture, military, warning disaster and health care monitoring systems have deployed wireless sensor networks. The wireless sensor network consists of several nodes or motes which comprise a microcontroller, a radio transceiver, sensors and energy source (usually a battery). According to the limitation of battery, the energy usage has to be paid attention to seriously. Using the reconfigurable devices in wireless sensor networks [2] has great potential to enhance the processing power and reduce the overall energy consumption, especially in the respects of security and routing. This is a consistency of the use of reconfigurable device such as Field Programmable Gate Array (FPGA) as a sensor node for health care application to perform both signal processing and encryption/decryption. The Advanced Encryption Standard (AES) is one of the top data encryptions in wireless sensor networks [3]. AES has been already appeared in the IEEE and ZigBee standard [4]. The minimum performance of AES is set to the maximum data rate (250 kbps) of the IEEE specification. To meet the lower limit requirement of AES in wireless sensor networks, the operation has to be completed as fast as possible. Meanwhile the energy consumption has to be considered carefully during the design process. The traditional AES consists of four operations, ShiftRow, SubByte, MixColumn and AddRoundKey, whereas SubBytes is the bottleneck of AES operation. The 16-byte data (or 128 bits) as shown in Fig.1 are taken to four processes. In AddRoundKey process, the key can be varied into 128, 196 and 256 bits and be added to the plaintext. All processes have been repeated 10, 12 or 14 rounds depending on the security requirements. In the beginning, Cipher Key is taken to Expand Key performing rotate word, sub-word, round constant and word column. The expanded key operation will be described in more details in Section IV. Fig. 1 AES operations SubByte or S-box function is able to be represented using a multiplicative inverse of GF(2 8 ) and affine transformation. A multiplicative inverse of GF(2 8 ) can be implemented by mapping GF(2 4 ) 2 in order to achieve the performance and energy efficiency [5]. Even, the optimized GF(2 4 ) 2 AES was proposed in [6]. Recently, the circuit was aiming for a ASIC implementation. According to the advantage of reconfigurable architecture, AES based on Look-Up Table (LUT) can be a good candidate. Thus, both AES encryption circuits based on GF(2 4 ) 2 [5] and LUT have been studied and considered in this paper. We are going to compare and analyse both circuits in terms of throughput per mw to find out the suitable AES circuits for wireless sensor network applications. Moreover, we also compare and analyse the pipelining and parallel AES. The rest of this paper is organized as follows: the conventional AES algorithm is described in Section II; the Vol.2 No PP C World Academic Publishing

2 S-box operation, multiplicative inverse based on GF(2 4 ) 2, pipelining, parallelism and the low power design technique are discussed in Section III; the performance and energy efficiency of the experiment results simulated based on virtex- 5 (XC5VLX50) in Xilinx ISE and X Analyzer tool are explained in Section IV; and the paper is concluded in Section V. II. AES ALGORITHMS As shown in Fig.1, each round of AES algorithm has been divided into four operations, the details of each operation are described as follows: B. ShiftRow This function performs a simple shift-left as shown in Fig.3. The first row (Row0) does nothing while the second byte of the second row (Row1) is moved to the left. In the third row (Row2) and forth row (Row3), the data have been rotated 2 and 3 bytes, respectively. C. MixColumn The Mixcloumn is a multiplication operation; the product of a column of state and a finite field constant as shown in (1): (1) The result of this operation is, as following:,,,, 02, 03,,,, 02, 03,,,, 02, 03, 03,,, 02, Fig. 2 ShiftRow operations TABLE I SUBSTSITUTE TABLE (S-BOX), Y a b c d e f c 77 7b f2 6b 6f c b fe d7 ab 76 1 ca 82 c9 7d fa f0 ad d4 a2 af 9c a4 72 c0 2 b7 fd f f7 cc 34 a5 e5 f1 71 d c7 23 c a e2 eb 27 b c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d f9 02 7f 50 3c 9f a8 X 7 51 a3 40 8f 92 9d 38 f5 bc b6 da ff f3 d2 8 cd 0c 13 ec 5f c4 a7 7e 3d 64 5d f dc 22 2a ee b8 14 de 5e 0b db a e0 32 3a 0a c c2 d3 ac e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e b f6 0e b9 86 c1 1d 9e e e1 f d9 8e 94 9b 1e 87 e9 ce df f 8c a1 89 0d bf e d 0f b0 54 bb 16 A. Substitute Bytes AES uses an array of byte sized 4x4 named states. Each state is denoted with S r,c, where r is row and c is column as shown in Fig. 2. This function block is called SubByte. All bytes of the state are computed using look-up table called S- box. The substitute data shown in Table I are the hexadecimal numbers. The value of S r,c can be found by looking up the data from a table from X cross Y. For example, S 1,2 = {5 x 3 y } = {ed}. Normally, the table will be implemented using memory structure. However, all entries in table can be calculated using an inversion in the finite field GF(2 8 ). Fig. 3 ShiftRow operations D. AddRoundKey AddRoundKey performs bitwise XOR between the data state and the key from key expansion. III. S-BOX BASED ON GF(2 4 ) 2 In AES, the throughput and power are mainly determined by S-box. The implementation of S-box is very important because it can influence the speed and power dissipation of AES circuits. Normally, S-box can be easily built by look-up table which is suited to the reconfigurable device. However, there is another argument to replace the look-up table by the combinational logics of finite filed GF(2 8 ). Unfortunately, the circuits of GF(2 8 ) is complex. Thus, S-box based on GF(2 4 ) 2 is widely used instead. Fig. 4 S-box operation with gating technique The ordinary S-box operation is shown in Fig.4. The encrypt signal has been used to switch between encryption and decryption mode. If the encrypt signal is set to 1, the encryption process will begin from bypassing the inverse affine transformation (Aff_tran -1 ) to multiplicative inverse directly. The output of multiplicative inverse will perform in the affine transformation. The gating technique has been applied here by inserting AND gate in front of Aff_tran-1 and Aff_trans-blocks in order to stop the unnecessary signals propagate to those two blocks. This will get rid of the waste energy according to the logic switching inside the unwanted block. Affine transformation and inverse affine transformation are computed using the equations in [5] as shown in (2) and (3). Vol.2 No PP C World Academic Publishing

3 _ (2),,, _ (3),,, A. Multiplicative inverse in S-box Before staring the multiplicative inverse as shown in Fig.5, the input of GF(2 8 ) has to map GF(2 4 ) 2 using map(a) function corresponding to the equation (4) [5]., 2,, 2 (4) Addition: Addition of two-term polynomial is the addition of two coefficients that calculated using (5) [5]. (5) Multiplication: Multiplication of two-term polynomial that calculated using (6) [5] and (7) [5]. 1 (6),,, 2 (7) Thus; (9) Thus;,, Inverse: Inverse a element 2 describes in equation 1 and that calculated using (10) [5].,, 2 (10) Thus; ^, ^, ^, ^, ^, ^, ^ ^ ^ ^ ^ Inversion of two-term polynomial used multiplication by inverse yields which are field element: 0 1 when,,, 2 (11),, ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ Squaring: Squaring in GF2 that calculated using (8) [5].,, 2 (8) Multiplication constant: Multiplication GF(2 4 ) with constant e that calculated using (9) [5]. Fig. 5 Multiplicative inversion operation of GF(2 4 ) 2 Finite fields GF(2 8 ) is symmetry with finite fields GF(2 4 ) in terms of bijection. Element 2 can represent in two-term polynomial when, 2. This map function can be expressed in (12) [5].,, 2, 2 (12) Vol.2 No PP C World Academic Publishing

4 ,, Inversion of map (map-1) is changed into two-term polynomial when, 2 to element 2. This function is expressed in (13) [5]., 2,, 2, (13) B. Pipelining S-box S-box has been designed based on pipelining architecture in order to increase the throughput by dividing the operation into several small steps corresponding to the available hardware resources. Normally, the pipelining architecture can achieve a high performance by applying a faster clock frequency. This method allows us to increase the throughput of the circuits with a small amount of logics rather than the parallel architecture. Only the latches are the overhead of pipelining that required to store the data between each state. This paper proposes five states pipelining S-box as shown in Fig.6. We have implemented both 8-bit and 32-bit pipeline to explore which one can give the best energy efficiency of S- box. In 8-bit pipelining, each 8-bit input or one byte (state S 0,0 or S 0,1, or S 3,3 ) is fetched to the state in pipelining. Therefore, we need 21 clock cycles to finish one state as shown in Fig.7. In 32-bit pipelining, each 32-bit input or one row is fetched to the pipelining and takes 9 clock cycles to finish one state as shown in Fig.8. Fig. 7 8-bit S-box pipelining Fig bit S-box pipelining C. Parallel S-box In FPGA or reconfigurable device, the design can take an advantage of parallel structure for performing the arithmetic algorithms. Thus, we implemented the parallel S-box to compare with another structures. The results of our study will inform us the good energy efficient architecture. By using the parallel S-box, the operation is completed within one clock cycle. In this case, the clock frequency is not necessarily set to be fast in order to achieve a high throughput. Therefore, we can reduce the power dissipation by avoiding the computing with a high clock frequency. However, we have to pay for the overhead due to the large amount of logics. A trade-off between power and performance can be achieved by adjusting the numbers of parallel logics. Fig. 6 Five-state in pipelining S-box IV. MEASUREMENT RESULTS After S-box has been implemented using many different types, the AES system has been designed and built as shown in Fig.9. Not only the AES encryption/decryption block, the key schedule, but also the RAM (stored the key) and the clock divider have been implemented. RAM is created to keep the keys that generated in every round of AES operation. Thus, the RAM size should be 128x11 bits. Vol.2 No PP C World Academic Publishing

5 Each round key is generated by the function of expanded key. The number of key can be added up to 4x (10+1) = 44. In words (state: w 0, w 1,,w 33 ) as well as W i, i is in the range 0 i < N b *(Nr+1), N b = 4 and N r = 10. The initial key is defined in term of state key (K 0,0, K 0,1, K 0,2 K 3,2, K 3,3). Then, each column will be read out to form in the word format (W 0, W 1, W 2, W 3 ). After that, the rotate word function or cyclic permutation is invoked. The next step is sub-word function whereas S-box is used here. The output of sub-word will be XORed with the constants of round constant function. The process of expand key can be found in Fig.10. Both S-box and AES algorithm have been implemented using VHDL Language. The synthesized HDLs based on Virtex-5 device XC5VLX50 are simulated on Xilinx ISE The power consumption of the circuits has been analysed by X tool. The random 128 bits plaintexts and keys are used to evaluate the system. A. Measurement Metrics 1) : It measures the number of cipher bits in a duration time. We can calculate using (14). (14) When BS is the number of bits per block, DB denotes the data block of plaintext in AES encryption, CC is the number of clock cycle that represented the processing time, and CP denotes the time period per clock. The best circuit should give the highest throughput. 2) Resource efficiency: It indicates the efficiency of slice usage (refer to the resource in FPGA which consists of LUTs and flip-flop). To analyse the resource efficiency, the ratio of throughput and number of slice is calculated. A maximum ratio indicates the highest resource efficiency. Fig. 9 The architecture of AES Vol.2 No PP C World Academic Publishing Fig. 10 Expand key operation 3) efficiency: It indicates the worth of power usage. We can use a ratio of throughput and power usage as a power efficient indicator. When the throughout per power usage is high, we can conclude that the design achieves a high power efficiency B. Scenario I The random plaint texts have been taken to test with 8-bit pipelining, 32-bit pipelining and parallel S-box. The experiment has been repeated ten times for each S-box type. Then, the average latency is used to compute the resource efficiency as shown in Table II. The parallel S-box gives the best throughput at Gbits per second. It means the circuit

6 is able to perform S-box about 11 Gbits within 1 second. This result is not surprising because the parallel architecture is expected to give the best throughput. The power dissipation results are shown in Table III. The parallel S-box can also give the lowest power dissipation and consequent produce the best power efficiency at It means the parallel S-box can perform 31 Mbits with one milli-watt. The result is contrasting with our expectation that pipelining architecture should gain the lowest power dissipation. Thus, the result can confirm that we can gain the advantage of parallel structure in FPGA to perform the arithmetic operation likes S-box. The architecture selection has to be reconsidered when the circuits are implemented on ASIC rather than reconfigurable device. Types of S-box TABLE II RESOURCE EFFICIENCY COMPARISON OF PIPELINING, PARALLEL AND LUT S-BOXES (Gbits/sec) Area (slice) /Area (Mbits/sec/slice) Parallel bit pipelining bit pipelining Types of S-box TABLE III POWER EFFICIENCY COMPARISON OF PIPELINING, PARALLEL AND LUT S-BOXES dissipation /mw Parallel bit pipelining bit pipelining C. Scenario II The original S-box based on GF(2 4 ) 2 in [5] implementes to compare the power and resource usages with the gating GF(2 4 ) 2 S-box. The same random plaintexts in the previous scenario have been taken to test these two types of S-box. The results in Table IV show that we can reduce the dynamic power according to the logic switching in the unnecessary block by about 19% when the logic gating technique has been applied. Thus the gating S-box is selected to apply in our AES. TABLE IV POWER AND RESOURCES COMPARISON BETWEEN ORIGINAL GF(2 4 ) 2 S-BOX AND GATING GF(2 4 ) 2 S-BOX. Parameter original GF(2 4 ) 2 Gating GF(2 4 ) 2 S-box S-box Number of slice logic Latency (ns) consumption Dynamic power Quiescent power D. Scenario III The AES algorithm is implemented as shown in Fig.9. S- box will be used in two modules: encryption/decryption core and key expansion. The encryption core transforms the plaintext using S-box and the key expansion generates a round key using S-box too. We apply both GF(2 4 ) 2 and LUT S-box in both encryption/decryption core and key expansion. To understand our experiments, we define L as a LUT S-box and Vol.2 No PP C World Academic Publishing G as a GF(2 4 ) 2 S-box. Therefore, we will have four combinations of AES, LL, LG, GL and GG whereas the first letter denotes the encryption/decryption and the second letter is the key expansion. The performance results of AES such as throughput, efficiency, power usage and power efficiency are shown in Table V. Slices TABLE V PERFORMANCE OF AESS (Mbps) (Mbps/Slices) (Mbps/mW) LL LG GL GG LG mean that encryption with LUTs and key expansion with Galois fields L = LUTs, G=Galois Fields The results in Table V show that the simple AES algorithm (LL) uses the resource less than GG by nearly 45%, in contrast to its throughput. The throughput of GG is lower than LL by about 5%. However, the power dissipation of GG is lower than LL by about 30%. Finally, we found that GG or AES based on GF(2 4 ) 2 S-box both in encryption/decryption and key expansion module achieves the best power efficiency. The GG gives the power efficiency better than LL by up to 33.38%. We can also conclude that the S-box based on GF(2 4 ) 2 achieved the best power efficiency as can be seen from the difference of LG and GL results being large. The GL has better results than LG up to 71%. This is because the amount of S-box used in the encryption/decryption module is larger than the key expansion module. The encryption/decryption module can therefore achieve the power efficiency from S-box more than the key expansion module. E. Scenario IV The gating technique is proposed to save the power dissipation of AES in FPGA. In this section, we are going to compare the two types of AES (LL and GG) with the existing research works. In Table VI, the AES implemented in this paper will be represented with (1). While the results of AES used Galois Field and pipeline by [7] are marked as (2). Finally, the designs from [8] are represented with (3). Slice TABLE VI PERFORMANCE COMPARISON (Mbps) (Mbps/Slices) (Mbps/mW) LL(1) LG(1) GL(1) GG(1) LL(2) n/a n/a LG(2) n/a n/a GL(2) n/a n/a GG(2) n/a n/a LL(3) L = LUTs, G=Galois Fields 1) is our technique, 2) Galois field and pipeline [4], 3) LUTs only[5]

7 From Table VI, energy perspective, we found that the Galois Fields can minimize the memory and power usage when compared to LUTs technique in [5]. Although the cost of Galois fields in term of resource usage is higher than LUTs, the throughput is increased up to % and energy is decreased by about 47.65%. V. CONCLUSIONS The evaluations of resource and power efficiency indicate that AES using S-box based on Galois Field gives the best power efficiency even LUT is a basic architecture in FPGA. Therefore, AES based on GF(2 4 ) 2 S-box is well fit to a wireless FPGA node. Slices TABLE VII TOP 3 OF BEST RESOURCE EFFICIENCY Resource 1 LL(3) GL(2) GL(2) GG(1) GG(1) 2 LL(1) LL(2) LG(1) GL(1) LL(1) 3 GL(1) LL(1) LL(2) LG(1) GL(1) In Table VII, we present the top-three of the best AES in terms of the resource usage, throughput, resource efficiency, power dissipation and power efficiency. These results will help the developers to choose the good candidate AES for their applications. However, we finally select the AES based on parallel Galois Field S-box for our wireless FPGA node. In addition, the existing AES in a commercial radio chip can operate the encryption or decryption at 221 microseconds [9]. Its speed is very slow compared to the designs in this paper. Type of AES TABLE VIII SUMMARY OF ENERGY USAGE Latency (ns) (encryption/decryption) Energy Usage (nj) (encryption/decryption) LL / /54.45 LG / / GL / / GG / /78.00 Finally, we present the energy usage of each AES, LL, LG, GL and GG as shown in Table VIII. The speed of encryptions or decryptions are in from 94 to 400 nanoseconds which is faster than the lower limit of data transmission rate in IEEE (250 kbps) by about 1280 to 5000 times. While, the energy usages of AES are varied from 44 to 221 nanojoules. ACKNOWLEDGMENT The authors thank the Centre of Excellence in Wireless Sensor Networks (CoE-WSN), NECTEC-PSU for a post graduated scholarship and Dr.Sakuna Charoenpanyasak for her encouragement and discussion. REFERENCES [1] Hu and X. Cao, Wireless Sensor Networks: Principles and Practice, CRC Press: Taylor & Francis Group, [2] G.G-Mplemenos, K.Papadopoulos and I. Papaefstathiou, Using Reconfigurable Hardware Devices in WSNs for Reducing the Energy Consumption of Routing and Security Tasks, in Proc. IEEE GLOBECOM, 2010, paper , pp [3] T. Kavitha, and D. Sridharan, Security Vulnerabilities In Wireless Sensor Networks: A Survey, in Journal of Information Assurance and Security, vol.5, pp.31-44, [4] IEEE Standard for Information technology- Telecommunications and information exchange between systems- Local and metropolitan area networks- Specific requirements Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks (WPANs), ser. IEEE Standard , September [5] J. Wolkerstorfer et al., An ASIC implementation of the AES SBoxes, in Proc. Cryptography Track at RSA Conf.,2002, pp [6] S. K. Mathew et al., 53 Gbps Native GF(2 4 ) 2 Composite-Field. AES- Encrypt/Decrypt Accelerator for Content-Protection in 45 nm High- Performance Microprocessors, in Journal of Solid-State Circuits, vol.46, pp , April, [7] Tanzilur Rahman, Shengyi Pan, Qi Zhang, Design of a High 128-bit AES (Rijndael Block Cipher), in Proc. of the International MultiConference of Engineers and Computer Scientists 2010 Vol II, IMECS [8] Jason Van Dyken, José G. Delgado-Frias, FPGA schemes for minimizing the power-throughput trade-off in executing the Advanced Encryption Standard algorithm, in Journal of Systems Architecture, vol.56, pp , February [9] Shammi Didla et al., Optimizing AES for embedded devices and wireless sensor networks, in Proc. of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities, 2008, paper , pp.1-1 Vol.2 No PP C World Academic Publishing