## Hardware Design and Analysis of Block Cipher Components (2002)

Venue: | in Information Security and Cryptology – ICISC 2002, Lecture Notes in Computer Science 2587 |

Citations: | 4 - 3 self |

### BibTeX

@INPROCEEDINGS{Xiao02hardwaredesign,

author = {Lu Xiao and Howard M. Heys},

title = {Hardware Design and Analysis of Block Cipher Components},

booktitle = {in Information Security and Cryptology – ICISC 2002, Lecture Notes in Computer Science 2587},

year = {2002},

pages = {164--181},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

This paper describes the efficient implementation of Maximum Distance Separable (MDS) mappings and Substitution-boxes (S-boxes) in gate-level hardware for application to Substitution-Permutation Network (SPN) block cipher design. Different implementations of parameterized MDS mappings and S-boxes are evaluated using gate count as the space complexity measure and gate levels traversed as the time complexity measure. On this basis, a method to optimize MDS codes for hardware is introduced by considering the complexity analysis of bit parallel multipliers. We also provide a general architecture to implement any invertible S-box which has low space and time complexities. As an example, two efficient implementations of Rijndael, the Advanced Encryption Standard (AES), are considered to examine the different tradeoffs between speed and time.

### Citations

1950 |
Sloane The Theory of Error-Correcting Codes
- MacWilliams, A
- 1977
(Show Context)
Citation Context .... . . , βk−1, a Cauchy matrix A is constructed with each entry Ai,j = 1/(αi ⊕βj). Any Cauchy matrix is MDS when α0, . . . , αk−1 are distinct, β0, . . . , βk−1 are distinct, and αi �=-== βj for all i, j [15]. Althou-=-gh a Cauchy matrix can be conveniently used as matrix C for an MDS mapping, the relation between selected coefficients (i.e., α0, . . . , αk−1, β0, . . . , βk−1) and corresponding MDS complexi... |

792 |
Communication Theory of Secrecy systems
- Shannon
- 1949
(Show Context)
Citation Context ...ced Encryption Standard (AES), are considered to examine the different tradeoffs between speed and time. 1 Introduction In a product cipher, confusion and diffusion are both important to the security =-=[1].-=- One architecture to achieve this is the Substitution-Permutation Network (SPN). In such a cipher, a Substitution-box (S-box) achieves confusion by performing substitution on a small subblock. An n×m... |

494 | Differential Cryptanalysis of DES‐like Cryposys‐ tems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ... on a small subblock. An n×m S-box refers to a mapping from an input of n bits to an output of m bits. An S-box is expected to be nonlinear and resistant to cryptanalyses such as differential attacks=-= [2]-=- and linear attacks [3]. In recently proposed SPN-based block ciphers (e.g., Rijndael [4], Hierocrypt [5], Anubis [6], and Khazad [7]), permutations between layers of S-boxes have been replaced by lin... |

428 |
Linear cryptanalysis method for DES cipher
- Matsui
- 1994
(Show Context)
Citation Context ...n n×m S-box refers to a mapping from an input of n bits to an output of m bits. An S-box is expected to be nonlinear and resistant to cryptanalyses such as differential attacks [2] and linear attacks=-= [3]-=-. In recently proposed SPN-based block ciphers (e.g., Rijndael [4], Hierocrypt [5], Anubis [6], and Khazad [7]), permutations between layers of S-boxes have been replaced by linear transformations in ... |

103 | Serpent: A proposal for the Advanced Encryption Standard
- Biham, Knudsen
- 1998
(Show Context)
Citation Context ...6×4 DES S-box contains four of these 6-bit Boolean functions. This general approach can be taken for any size S-box and works well for optimization of small S-boxes such as the 4×4 S-boxes in Serpen=-=t [17].-=- However, in the case of general invertible 8×8 S-boxes used by many ciphers, this method can be improved upon, as we shall see. 3 Optimized MDS Mappings for Hardware 3.1 Complexity of MDS Mappings A... |

64 | Camellia: A 128-bit block cipher suitable for multiple platforms
- Aoki, Kanda, et al.
- 2001
(Show Context)
Citation Context ...n of a decoderswitch-encoder circuit. By use of this model, a good upper bound of the minimum hardware complexity can be deduced for the S-boxes used in SPNs and some Feistel networks (e.g., Camellia =-=[9]-=-). The model can be used as a technique for the construction of S-boxes in hardware so that the space and time complexities are low. In our work, we take the conventional approach that the space compl... |

54 |
Efficient VLSI Architectures for Bit-Parallel Computation in Galois Fields
- Paar
- 1994
(Show Context)
Citation Context ...Since the generation matrix is constant, each element in the encoded message is the XOR of several outputs of constant multipliers. As basic operators, bit-parallel multipliers given in standard base =-=[12, 13] are -=-selected in this paper. A constant multiplier can be written as a function from element A to element B over GF(2 n ) as follows: fC : A ↦→ B = C · A (2) where C is the constant element in GF(2 n ... |

29 |
A Fast New DES Implementation
- Biham
- 1997
(Show Context)
Citation Context ... in the former two matrix types. Hence, it is difficult to select coefficients to construct a Cauchy matrix that can be efficiently implemented in hardware. 2.4 A Method to Simplify S-box Circuits In =-=[16],-=- a method of generating a Boolean function through nested multiplexing is introduced to optimize gate circuits for the 6×4 S-boxes in DES implementations. Consider that a 5sBoolean function f(a, b, c... |

28 |
VLSI Designs for Multiplications over Finite Fields GF(2 m
- Mastrovito
- 1988
(Show Context)
Citation Context ...Since the generation matrix is constant, each element in the encoded message is the XOR of several outputs of constant multipliers. As basic operators, bit-parallel multipliers given in standard base =-=[12, 13] are -=-selected in this paper. A constant multiplier can be written as a function from element A to element B over GF(2 n ) as follows: fC : A ↦→ B = C · A (2) where C is the constant element in GF(2 n ... |

25 |
Efficient Rijndael Encryption Implementation with Composite Field Arithmetic
- Rudra, Bubey, et al.
- 2001
(Show Context)
Citation Context ...box costs about 2200 gates. Since some operations over the composite field GF((2 4 ) 2 ) are more compact than over GF(2 8 ), an efficient Rijndael design in composite field arithmetic is proposed in =-=[20]-=-. A cryptographic core (i.e., essentially one round mainly consisting of 16 S-boxes and the MDS mapping layer) in [20] only costs about 4000 gates and a delay of 240 gate levels [21] is expected in th... |

16 | Architectural optimization for a 1.82 Gbits/sec VLSI implementation of the AES Rijndael algorithm
- Kuo, Verbauwhede
- 2001
(Show Context)
Citation Context ... GF(2 8 ) and the S-box performs multiplicative inverse over GF(2 8 ) followed by a bitwise affine operation. With parallel S-boxes implemented through table lookups, a hardware design is proposed in =-=[19].-=- Adhering to the structure of the algorithm specification of [4] as in Figure 6(a), this design achieves a throughput of 1.82 Gbits/sec in 0.18 µm CMOS technology, where each S-box costs about 2200 g... |

9 | On the Design of Linear Transformations for Substitution-Permutation Encryption Networks”, Workshop on Selected Areas in Cryptography - SAC '97
- Youssef, Mister, et al.
- 1997
(Show Context)
Citation Context ...formation in the last round of encryption. Instead, one additional key mixture is appended at the end of the cipher for security considerations. If the S-box and the MDS mappings are both involutions =-=[8] -=-(i.e., for any input x, f(f(x)) = x where f(·) represents a layer of S-boxes or the MDS layer), both the encryption and decryption operations can be performed by the same SPN except for small changes... |

5 |
Efficient implementation of the Rijndael S-box. available at http://www.esat.kuleuven.ac.be/~rijmen/rijndael/sbox.pdf
- Rijmen
- 2001
(Show Context)
Citation Context ...is denoted as T (·), and its inverse is T −1 (·). It has been recognized that the multiplicative inverse over GF((2 m ) n ) can have a much lower complexity than the equivalent inverse over GF(2 m=-=n ) [13, 22]-=-. As an example, the equivalent ByteSub over GF((2 4 ) 2 ) costs less than one fifth of the gate count of a general invertible S-box based on the upper bound of 806 in the decoder-switch-encoder S-box... |

4 |
The Anubis Block Cipher", NESSIE Algorithm Submission 2000, available on: www.cosic.esat.kuleuven.ac,be/nessie
- Barreto, Rijmen
(Show Context)
Citation Context ...pected to be nonlinear and resistant to cryptanalyses such as differential attacks [2] and linear attacks [3]. In recently proposed SPN-based block ciphers (e.g., Rijndael [4], Hierocrypt [5], Anubis =-=[6], -=-and Khazad [7]), permutations between layers of S-boxes have been replaced by linear transformations in the form of mappings based on Maximum Distance Separable (MDS) codes to achieve diffusion. ∗ P... |

4 |
The Khazad Legacy-Level Block Cipher”, NESSIE Algorithm Submission, 2000, available on: www.cosic.esat.kuleuven.ac.be/nessie
- Barreto, Rijmen
(Show Context)
Citation Context ...linear and resistant to cryptanalyses such as differential attacks [2] and linear attacks [3]. In recently proposed SPN-based block ciphers (e.g., Rijndael [4], Hierocrypt [5], Anubis [6], and Khazad =-=[7]),-=- permutations between layers of S-boxes have been replaced by linear transformations in the form of mappings based on Maximum Distance Separable (MDS) codes to achieve diffusion. ∗ Presented at the ... |

2 |
available on: csrc.nist.gov/encryption/aes
- Nechvatal, Barker, et al.
(Show Context)
Citation Context ...ted implementation, it is difficult to estimate its complexity accurately before synthesis into the targeted technology. From previous FPGA and ASIC implementations of block ciphers such as listed in =-=[10], -=-it is well established that S-boxes normally comprise most of a cipher’s area requirement and delay. Although linear components such as MDS mappings are known to be much more efficient than S-boxes,... |