A VHDL Implemetation of the Advanced Encryption Standard-Rijndael Algorithm. Rajender Manteena

Transcription

1 A VHDL Implemetation of the Advanced Encryption Standard-Rijndael Algorithm y Rajender Manteena A thesis sumitted in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering Department of Electrical Engineering College of Engineering University of South Florida Major Professor: Wilfrido Moreno, Ph.D. James Leffew, Ph.D. Wei Qian, Ph.D. Date of Approval: March 23, 24 Keywords: decryption, state, cipher. Copyright 24, Rajender Manteena

2 ACKNOWLEDGEMENTS I would like to thank Dr. Moreno, my major professor, for his guidance. Dr. Moreno deserves my deepest gratitude for supporting me financially throughout my master degree program. I would like to thank Dr. Leffew who helped me to uild this thesis. I also acknowledge with gratitude the contriution of journals, papers, organizations and ooks, which I have referred to in the pages of the references. My parents and my wife play an important role in my life. To them I dedicate my thesis. Without their love, affection, motivation and support this thesis would not have een possile. Last ut not the least I would like to thank my friends Narender, Nikhil,Bhasker who have always een with me throughout the work of this thesis.

3 TABLE OF CONTENTS LIST OF FIGURES ABSTRACT iii v CHAPTER INTRODUCTION.. Background of the Algorithm.2. Notation and Conventions Inputs and Outputs Bytes Arrays of Bytes The State The State as an Array of Columns 6.3. Mathematical Background Addition Multiplication Multiplication y x Polynomials with Coefficients in GF (2 8 ) i

4 CHAPTER 2 ENCRYPTION Encryption Process Bytes Sustitution Transformation Shift Rows Transformation Mixing of Columns Transformation Addition of Round Key Transformation Key Schedule Generation 9 CHAPTER 3 DECRYPTION Decryption Process Inverse Bytes Sustitution Transformation Inverse Shift Rows Transformation Inverse Mixing of Columns Transformation 24 CHAPTER 4 IMPLEMENTATION AND RESULTS Encryption Implementation Decryption Implementation Hardware Implementation Conclusions 33 REFERENCES 34 APPENDICES 35 Appendix A: Terms and Definitions 36 Appendix B: Cipher Example 38 Appendix C: Example Vectors 4 Appendix D: VHDL Design Code 56 ii

5 LIST OF FIGURES Figure. Hexadecimal Representation of Bit Patterns 3 Figure 2. Indices for Bytes and Bits 4 Figure 3. State Array Input and Output 5 Figure 4. Encryption Process 3 Figure 5. Matrix Notation of S-ox 5 Figure 6. Application of the S-ox to Each Byte of the State 5 Figure 7. S-ox Values for All 256 Cominations in Hexadecimal Format 6 Figure 8. Cyclic Shift of the Last Three Rows of the State 7 Figure 9. Mixing of Columns of the State 8 Figure. Exclusive-OR Operation of State and Cipher Key Words 9 Figure. Key-Block- Round Cominations 2 Figure 2. Decryption Process 2 Figure 3. Application of the Inverse S-ox to Each Byte of the State 22 Figure 4. Inverse S-ox Values for All 256 Cominations in Hexadecimal Format 23 iii

6 Figure 5. Inverse Cyclic Shift of the Last Three Rows of the State 24 Figure 6. Inverse Mix Column Operation on State 25 Figure 7. Basic Characteristics of the ACEXK Family Devices 27 Figure 8. Waveforms of 8-it Byte Sustitution 28 Figure 9. Waveforms of Shift Row Transformation 28 Figure 2. Waveforms of Mix Column Transformation 29 Figure 2. Waveforms of Key Schedule Generation 29 Figure 22. Waveforms of 8-it Inverse Byte Sustitution 3 Figure 23. Waveforms of Inverse Shift Row Transformation 3 Figure 24. Waveforms of Inverse Mix Column Transformation 3 Figure 25. Block Diagram of AES Hardware Implementation 32 iv

7 A VHDL IMPLEMENTATION OF THE ADVANCED ENCRYPTION STANDARD-RIJNDAEL ALGORITHM Rajender Manteena ABSTRACT The National Institute of Standards and Technology (NIST) has initiated a process to develop a Federal information Processing Standard (FIPS) for the Advanced Encryption Standard (AES), specifying an Advanced Encryption Algorithm to replace the Data Encryption standard (DES) the Expired in 998. NIST has solicited candidate algorithms for inclusion in AES, resulting in fifteen official candidate algorithms of which Rijndael was chosen as the Advanced Encryption Standard. The Advanced Encryption Standard can e programmed in software or uilt with pure hardware. However Field Programmale Gate Arrays (FPGAs) offer a quicker, more customizale solution. This research investigates the AES algorithm with regard to FPGA and the Very High Speed Integrated Circuit Hardware Description language (VHDL). Altera Max+plus II software is used for simulation and optimization of the synthesizale VHDL code. All the transformations of oth Encryptions and Decryption are simulated using an iterative design approach in order to minimize the hardware consumption. Altera ACEXK Family devices are utilized for hardware evaluation. v

8 CHAPTER INTRODUCTION.. Background of the Algorithm The National Institute of Standards and Technology, (NIST), solicited proposals for the Advanced Encryption Standard, (AES). The AES is a Federal Information Processing Standard, (FIPS), which is a cryptographic algorithm that is used to protect electronic data. The AES algorithm is a symmetric lock cipher that can encrypt, (encipher), and decrypt, (decipher), information. Encryption converts data to an unintelligile form called cipher-text. Decryption of the cipher-text converts the data ack into its original form, which is called plaintext. The AES algorithm is capale of using cryptographic keys of 28, 92, and 256 its to encrypt and decrypt data in locks of 28 its. Many algorithms were originally presented y researchers from twelve different nations. Fifteen, (5), algorithms were selected from the first set of sumittals. After a study and selection process five, (5), were chosen as finalists. The five algorithms selected were MARS, RC6, RIJNDAEL, SERPENT and TWOFISH. The conclusion was that the five Competitors showed similar characteristics. On Octoer 2 nd 2, NIST announced that the Rijndael Algorithm was the winner of the contest. The Rijndael Algorithm was chosen since it had the est overall scores in security, performance, efficiency, implementation aility and flexiility, [NIS]. The Rijndael algorithm was

9 developed y Joan Daemen of Proton World International and Vincent Fijmen of Katholieke University at Leuven. The Rijndael algorithm is a symmetric lock cipher that can process data locks of 28 its through the use of cipher keys with lengths of 28, 92, and 256 its. The Rijndael algorithm was also designed to handle additional lock sizes and key lengths. However, the additional features were not adopted in the AES. The hardware implementation of the Rijndael algorithm can provide either high performance or low cost for specific applications. At ackone communication channels or heavily loaded servers it is not possile to lose processing speed, which drops the efficiency of the overall system while running cryptography algorithms in software. On the other side, a low cost and small design can e used in smart card applications, which allows a wide range of equipment to operate securely. [6].2. Notation and Conventions.2.. Inputs and Outputs The input and output for the AES algorithm consists of sequences of 28 its. These sequences are referred to as locks and the numers of its they contain are referred to as their length. The Cipher Key for the AES algorithm is a sequence of 28, 92 or 256 its. Other input, output and Cipher Key lengths are not permitted y this standard. The its within such sequences are numered starting at zero and ending at one less than the sequence length, which is also termed the lock length or key length. The numer i attached to a it is known as its index and will e in one of the ranges i < 28, i < 92 or i < 256 depending on the lock length or key length specified. 2

10 .2.2. Bytes The asic unit of processing in the AES algorithm is a yte, which is a sequence of eight its treated as a single entity. The input, output and Cipher Key it sequences descried in Section. are processed as arrays of ytes that are formed y dividing these sequences into groups of eight contiguous its to form arrays of ytes. For an input, output or Cipher Key denoted y a, the ytes in the resulting array are referenced using one of the two forms, a n or a[n], where n will e in a range that depends on the key length. For a key length of 28 its, n lies in the range n < 6. For a key length of 92 its, n lies in the range n < 24. For a key length of 256 its, n lies in the range n < 32. All yte values in the AES algorithm are presented as the concatenation of the individual it values, ( or ), etween races in the order { 7, 6, 5, 4, 3, 2,, }. These ytes are interpreted as finite field elements using a polynomial representation x 7 + x x i + x + x + x + x + = x () i For example, {} identifies the specific finite field element x + x + x +. It is also convenient to denote yte values using hexadecimal notation with each of two groups of four its eing denoted y a single hexadecimal character. The hexadecimal notation scheme is depicted in Figure.. 7 i= Figure. Hexadecimal Representation of Bit Patterns [] 3

11 Hence the element {} can e represented as {63}, where the character denoting the four-it group containing the higher numered its is again to the left. Some finite field operations involve one additional it { 8 } to the left of an 8-it yte. When the 8 it is present, it appears as {} immediately preceding the 8-it yte. For example, a 9-it sequence is presented as {} {} Arrays of Bytes Arrays of ytes are represented in the form a a a 2 a 5. The ytes and the it ordering within ytes are derived from the 28-it input sequence, input input input 2 input 26 input 27 as a = {input, input,, input 7 }, a = {input 8, input 9,, input 5 } with the pattern continuing up to a 5 = {input 2, input 2,, input 27 }. The pattern can e extended to longer sequences associated with 92 and 256 it keys. In general, a n = {input 8n, input 8n+,, input 8n+7 }. An example of yte designation and numering within ytes for a given input sequence is presented in Figure 2. Figure 2. Indices for Bytes and Bits [].2.4. The State Internally, the AES algorithm s operations are performed on a two-dimensional array of ytes called the State. The State consists of four rows of ytes. Each row of a state contains N numers of ytes, where N is the lock length divided y 32. In the State array, which is denoted y the symol S, each individual yte has two indices. The first yte index is the row numer r, which lies in the range r 3 and the second yte 4

12 index is the column numer c, which lies in the range c N. Such indexing allows an individual yte of the State to e referred to as S r,c or S [r,c]. For the AES N = 4, which means that c 3. At the eginning of the Encryption and Decryption the input, which is the array of ytes symolized y in in in 5 is copied into the State array. This activity is illustrated in Figure 3. The Encryption or Decryption operations are conducted on the State array. After manipulation of the state array has completed its final value is copied to the output, which is an array of ytes symolized y out out out 5. Input Bytes State Array Output Bytes Figure 3. State Array Input and Output [] At the start of the Encryption or Decryption the input array is copied to the State array with S [r, c] = in[r + 4c] where r 3 and c N At the end of the Encryption and Decryption the State is copied to the output array with out[r + 4c] = S [r,c] where r 3 and c N. 5

13 .2.5. The State as an Array of Columns The four ytes in each column of the State form 32-it words, where the row numer r provides an index for the four ytes within each word. Therefore, the state can e interpreted as a one-dimensional array of 32 it words, which is symolized y w...w 3. The column numer c provides an index into this linear State array. Considering the State depicted in Figure3, the State can e considered as an array of four words where w = S, S, S 2, S 3,, w = S, S, S 2, S 3,, w 2 = S,2 S,2 S 2,2 S 3,2 and w 3 = S,3 S,3 S 2,3 S 3,3..3. Mathematical Background Every yte in the AES algorithm is interpreted as a finite field element using the notation introduced in Section...2. All Finite field elements can e added and multiplied. However, these operations differ from those used for numers and their use requires investigation..3.. Addition The addition of two elements in a finite field is achieved y adding the coefficients for the corresponding powers in the polynomials for the two elements. The addition is performed through use of the XOR operation, which is denoted y the operator symol. Such addition is performed modulo-2. In modulo-2 addition =, =, 6

14 = and =. Consequently, sutraction of polynomials is identical to addition of polynomials. Alternatively, addition of finite field elements can e descried as the modulo-2 addition of corresponding its in the yte. For two ytes {a 7 a 6 a 5 a 4 a 3 a 2 a a } and { }, the sum is {c 7 c 6 c 5 c 4 c 3 c 2 c c }, where each c i = a i i where i represents corresponding its. For example, the following expressions are equivalent to one another. (x x + x + x + ) + (x + x + ) = x + x + x x (Polynomial notation) { } {} = {} (Binary notation) { 57} {83} = { d4} (Hexadecimal notation).3.2. Multiplication In the polynomial representation, multiplication in Galois Field GF (2 8 ) (denoted y ) corresponds with the multiplication of polynomials modulo an irreducile polynomial of degree 8. A polynomial is irreducile if its only divisors are one and itself. For the AES algorithm, this irreducile polynomial is given y the equation (2) m ( x) = x + x + x + x + (2) 7

15 For example, { 57} {83} = { c} ecause ( x + x + x + x + )( x + x + ) = x + x + x + x + x 7 + x x + x + x + x + x x + x + x = x + x + x + x + x + x + x + x x + x + x + x + x + x + x + x + Modulo ( x + x + x + x + ) 7 6 = x + x +. The modular reduction y m(x) ensures that the result will e a inary polynomial of degree less than 8, which can e represented y a yte. Unlike addition, there is no simple operation at the yte level that corresponds to this multiplication. The multiplication defined aove is associative and the element {} is the multiplicative identity. For any non-zero inary polynomial (x) of degree less than 8, the multiplicative inverse of (x), denoted - (x), can e found. The inverse is found through use of the extended Euclidean algorithm to compute polynomials a(x) and c(x) such that ( x) a( x) + m( x) c( x) =. (3) Hence, a(x) (x) mod m(x) =, which means ( x) = a( x) mod m( x) (4) Moreover, for any a(x), (x) and c(x) in the field, it holds that a ( x) ( ( x) + c( x)) = a( x) ( x) + a( x) c( x) (5) It follows that the set of 256 possile yte values, with XOR used as addition and multiplication defined as aove, has the structure of the finite field GF (2 8 ). 8

16 .3.3. Multiplication y x Multiplying the inary polynomial defined in equation () with the polynomial x results in x + x + x + x + x + x + x +. (6) x The result x (x) is otained y reducing the aove result modulo m(x). If 7 equals zero the result is already in reduced form. If 7 equals one the reduction is accomplished y sutracting the polynomial m(x). It follows that multiplication y x, which is represented y {} or {2}, can e implemented at the yte level as a left shift and a susequent conditional itwise XOR with {}. This operation on ytes is denoted y xtime( ). Multiplication y higher powers of x can e implemented y repeated application of xtime( ). Through the addition of intermediate results, multiplication y any constant can e implemented. For example, {57} {3} = {fe} ecause {57} {2} = xtime ({57}) = {ae} {57} {4} = xtime ({ae}) = {47} {57} {8} = xtime ({47}) = {8e} {57} {} = xtime ({8e}) = {7}, Thus, {57} {3} = {57} ({} {2} {}) = {57} {ae} {7} = {fe}. 9

17 .3.4. Polynomials with Coefficients in GF (2 8 ) Four-term polynomials can e defined with coefficients that are finite field elements as the following equation (7) a = + (7) 3 2 ( x) a3x + a2 x + ax a which will e denoted as a word in the form [a, a, a2, a3 ]. Note that the polynomials in this section ehave somewhat differently than the polynomials used in the definition of finite field elements, even though oth types of polynomials use the same indeterminate, x. The coefficients in this section are themselves finite field elements, i.e., ytes, instead of its; also, the multiplication of four-term polynomials uses a different reduction polynomial, defined elow. To illustrate the addition and multiplication operations, let = + (8) 3 2 ( x) 3 x + 2 x + x define a second four-term polynomial. Addition is performed y adding the finite field coefficients of like powers of x. This addition corresponds to an XOR operation etween the corresponding ytes in each of the words in other words, the XOR of the complete word values Thus, using the equations of (7) and (8), 3 2 a x) + ( x) = ( a ) x + ( a ) x + ( a ) x + ( a ) (9) ( Multiplication is achieved in two steps. In the first step, the polynomial product c(x) = a(x) (x) is algeraically expanded, and like powers are collected to give c = + () ( x) c6 x + c5x + c4x + c3x + c2 x + cx c where

18 a c a a c a a a c a a a a c a a a c a a c a c = = = = = = = The result, c(x), does not represent a four-yte word. Therefore, the second step of the multiplication is to reduce c(x) modulo a polynomial of degree 4; the result can e reduced to a polynomial of degree less than 4. For the AES algorithm, this is accomplished with the polynomial x 4 +, so that. ) mod( mod 4 4 i i x x x = + () The modular product of a(x) and (x), denoted y a(x) (x), is given y the four-term polynomial d(x), defined as follows ) ( d x d x d x d x d = (2) with ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( a a a a d a a a a d a a a a d a a a a d = = = = When a(x) is a fixed polynomial, the operation defined in equation (2) can e written in matrix form as the following equation (3). = a a a a a a a a a a a a a a a a d d d d (3)

19 Because x 4 + is not an irreducile polynomial over GF(2 8 ), multiplication y a fixed four-term polynomial is not necessarily invertile. However, the AES algorithm specifies a fixed four-term polynomial that does have an inverse is given y 3 2 a ( x) = {3} x + {} x + {} x + {2} (4) 3 2 a ( x) = {} x + {d} x + {9} x + {e} (5) Another polynomial used in the AES algorithm has a = a = a 2 = {} and a 3 = {}, which is the polynomial x 3. Inspection of equation (3) aove will show that its effect is to form the output word y rotating ytes in the input word. This means that [,, 2, 3 ] is transformed into [, 2, 3, ]. 2

20 CHAPTER 2 ENCRYPTION 2.. Encryption Process The Encryption process of Advanced Encryption Standard algorithm is presented elow, in figure 4. Key Schedule Figure 4. Encryption Process [6] 3

21 This lock diagram is generic for AES specifications. It consists of a numer of different transformations applied consecutively over the data lock its, in a fixed numer of iterations, called rounds. The numer of rounds depends on the length of the key used for the encryption process Bytes Sustitution Transformation The ytes sustitution transformation Bytesu (state) is a non-linear sustitution of ytes that operates independently on each yte of the State using a sustitution tale(sox) presented in figure7. This S-ox which is invertile, is constructed y composing two transformations. Take the multiplicative inverse in the finite field GF (2 8 ), descried in Section.3.2. The element {} is mapped to itself. 2. Apply the following affine transformation (over GF (2)) ' i = i ( i+ 4) mod 8 ( i+ 5) mod8 ( i+ 6) mod8 ( i+ 7) mod8 c i (6) for i 8, where i is the i th it of the yte, and c i is the i th it of a yte c with the value {63} or {}. Here and elsewhere, a prime on a variale (e.g., ) indicates that the variale is to e updated with the value on the right. In matrix form, the affine transformation element of the S-ox can e expressed as 4

22 5 + = ' 7 ' 6 ' 5 ' 4 ' 3 ' 2 ' ' Figure 5. Matrix Notation of S-ox [] Figure 6. Application of S-ox to the Each Byte of the State [] The S-ox used in the Su Bytes transformation is presented in hexadecimal form in figure 7. For example, if =S, = {53}, then the sustitution value would e determined y the intersection of the row with index 5 and the column with index 3 in figure 7. This would result in S', having a value of {ed}.

23 Figure 7. S-ox Values for All 256 Cominations in Hexadecimal Format [] 2.3. Shift Rows Transformation In the Shift Rows transformation ShiftRows( ), the ytes in the last three rows of the State are cyclically shifted over different numers of ytes (offsets). The first row, r =, is not shifted. Specifically, the ShiftRows( ) transformation proceeds as follows s ' r, c sr,( c + shift( r, N)) mod N = for < r < 4 and c N, Where the shift value shift(r, N) depends on the row numer, r, as follows (N = 4) Shift (,4) = : Shift(2,4) = 2; Shift(3,4) = 3. This has the effect of moving ytes to lower positions in the row (i.e., lower values of c in a given row), while the lowest ytes wrap around into the top of the row (i.e., higher values of c in a given row). Figure 7 illustrates the ShiftRows( )transformation. 6

24 Figure 8. Cyclic Shift of the Last Three Rows of the State [] 2.4. Mixing of Columns Transformation This transformation is ased on Galois Field multiplication. Each yte of a column is replaced with another value that is a function of all four ytes in the given column. The MixColumns( ) transformation operates on the State column-y-column, treating each column as a four-term polynomial as descried in Section The columns are considered as polynomials over GF (2 8 ) and multiplied modulo x 4 + with a fixed polynomial a(x), given y the following equation. 3 a ( x) = {3} x + {} x + {} x + {2}. 2 As descried in Section..3.4, this can e written as a matrix multiplication. Let ' S ( x) = a( x) S( x) 7

25 S S S S ', c ', c ', c ', c 2 = S S 3S 2 S, c, c, c, c for c < N. As a result of this multiplication, the four ytes in a column are replaced y the following S S S S ', c ', c ' 2, c ' 3, c = ({2} S, c ) ({3} S, c ) S2, c S3, c = S, c ({2} S, c ) ({3} S2, c ) S3, c = S, c S, c ({2} S2, c ) ({3} S3, c ) = ({3} S ) S S ({2} S ), c, c 2, c 3, c Figure 9. Mixing of Columns of the State [] 2.5. Addition of Round Key Transformation In the Addition of Round Key transformation AddRoundKey( ), a Round Key is added to the State y a simple itwise XOR operation. Each Round Key consists of N words from the key schedule generation (descried in following section 2.6). Those N words are each added into the columns of the State, such that 8

26 ', ', ', ', [ S c, S c, S 2 c, S 3 c,] = [ S, c, S, c, S2, c, S3, c ] [ W round * N ] for c<n, Figure. Exclusive-OR Operation of State and Cipher Key Words [] where [w i ] are the key generation words descried in chapter 3, and round is a value in the range in the Encryption, the initial Round Key addition occurs when round =, prior to the first application of the round function. The application of the AddRoundKey ( ) transformation to the Nr rounds of the encryption occurs when round Nr. The action of this transformation is illustrated in figure, where l = round * N. The yte address within words of the key schedule was descried in Section Key Schedule Generation Each round key is a 4-word (28-it) array generated as a product of the previous round key, a constant that changes each round, and a series of S-Box (figure6) lookups for each 32-it word of the key. The first round key is the same as the original user input. Each yte (w - w 3 ) of initial key is XOR d with a constant that depends on the current round, and the result of the S-Box lookup for w i, to form the next round key. The numer of rounds required for three different key lengths is presented in figure. 9

27 Key Length Block Size Numer of (Nk Words) (N Words) Rounds (Nr) AES AES AES Figure. Key-Block- Round Cominations [] The Key schedule Expansion generates a total of N(Nr + ) words: the algorithm requires an initial set of N words, and each of the Nr rounds requires N words of key data. The resulting key schedule consists of a linear array of 4-yte words, denoted [wi], with i in the range i < N(Nr + ). 2

28 CHAPTER 3 DECRYPTION 3.. Decryption Process The Decryption process of Advanced Encryption Standard algorithm is presented elow, in figure2. Key Schedule Figure 2. Decryption Process [6] 2

29 This process is direct inverse of the Encryption process (chapter2). All the transformations applied in Encryption process are inversely applied to this process. Hence the last round values of oth the data and key are first round inputs for the Decryption process and follows in decreasing order Inverse Bytes Sustitution Transformation Inverse Byte Sustitution Transformation InvSuBytes( ) is the inverse of the yte sustitution transformation, in which the inverse S-Box (figure4) is applied to each yte of the State. This is otained y applying the inverse of the affine transformation to the equation (6) followed y taking the multiplicative inverse in GF (2 8 ). Figure 3. Application of the Inverse S-ox to Each Byte of the State [] 22

30 Figure 4. Inverse S-ox Values for All 256 Cominations in Hexadecimal Format 3.3. Inverse Shift Rows Transformation Inverse Shift Rows Transformation InvShiftRows( ) is the inverse of the ShiftRows( ) transformation presented in Chater2. The ytes in the last three rows of the State are cyclically shifted over different numers of ytes. The first row, r =, is not shifted. The ottom three rows are cyclically shifted y N-shift(r, N) ytes, where the shift value shift(r, N) depends on the row numer, and is explained in Section.2.3. Specifically, the InvShiftRows( ) transformation proceeds as follows ' S r, ( c shift( r, N))mod N = Sr, c + for r<4 and c<n 23

31 Figure 5. Inverse Cyclic Shift of the Last Three Rows of the State [] 3.4. Inverse Mixing of Columns Transformation Inverse Mixing of Columns Transformation InvMixColumns( ) is the inverse of the MixColumns ( ) transformation) presented in chapter2. InvMixColumns ( ) operates on the State column-y-column, treating each column as a four term polynomial as descried in Section The columns are considered as polynomials over GF (2 8 ) and multiplied modulox 4 + with a fixed polynomial a - (x), given y 3 a ( x) = {} x + {d} x + {9} x + {e}. As descried in Section..3.4, this can e written as a matrix multiplication. Let ' S ( x) = a ( x) S( x) 2 24

32 S S S S ', c ', c ', c ', c e 9 = d e 9 d d e 9 9 S ds S e S, c, c, c, c for c<n. As a result of this multiplication, the four ytes in a column are replaced y the following equations. S S S S ', c ', c ' 2, c ' 3, c = ({e} S, c ) ({} S, c ) ({d} S2, c ) ({9} S3, c ) = ({9} S, c ) ({e} S, c ) ({} S2, c ) ({d} S3, c ) = ({d} S, c ) ({9} S, c ) ({e} S2, c ) ({} S3, c ) = ({} S ) ({d} S ) ({9} S ) ({e} S ), c Hence, State can e represented as, c 2, c 3, c InvMixColumn( ) Figure 6. Inverse Mix Column Operation on State [] 25

33 CHAPTER 4 IMPLEMETATION AND RESULTS 4.. Encryption Implementation VHDL is used as the hardware description language ecause of the flexiility to exchange among environments. The code is pure VHDL that could easily e implemented on other devices, without changing the design. The software used for this work is Altera Max+plus II.2. This is used for writing, deugging and optimizing efforts, and also for fitting, simulating and checking the performance results using the simulation tools availale on MaxPlus II design software. All the results are ased on simulations from the Max+plus II and Quartus tools, using Timing Analyzer and Waveform Generator. All the individual transformation of oth encryption and decryption are simulated using FPGA ACEXK family and EPK devices. The characteristics of the devices are presented in figure 7. An iterative method of design is implemented to minimize the hardware utilization and the fitting is done y the Altera s Quartus fitter Technology. 26

34 General Characteristics of the ACEX Family Device EPK EPK3 EPK5 EPK Typical Gates, 3, 5,, Maximum System Gates 56, 9, 99, 257, Logic Elements 576,728 2,88 4,992 Emedded Array Blocks (EABs) Maximum Bits RAM ,288 24,576 4,96 49,52 Speed Grades -, -2, -3 -, -2, -3 -, -2, -3 -, -2, -3 Package (mm) -Pin TQFP 66 Maximum User I/O Pins 44-Pin TQFP Pin PQFP Pin (BGA) Pin (BGA) Figure 7. Basic Characteristics of the ACEXK Family Devices [4] In order to allow a full parallel process of the state, it is necessary to implement all the transformations over 28 its. The most expensive one is the Byte sustitution, ecause it is a tale lookup operation, implemented as ROM. Each 8 its requires a 248 it ROM. To process 28 its it is necessary its. The Key Expansion uses a Byte sustitution operation over 32 its also, so another 892 its should e allocated. The following figure 8 shows the waveforms generated y the 8-it yte sustitution transformation. The inputs are clock of ns time period, Active High reset, and 8-it state as a standard logic vector, whose output is 8-it S-ox lookup sustitution. This design utilizes 32% of the area of EPKFC484-, around 63 logic elements are consumed to implement only 8-it S-ox lookup tale. Hence, approximately 2, logic elements are necessary to implement the complete 28-it yte sustitution transformation. It can e done y the APEX2K family devices. 27

35 Figure 8. Waveforms of 8-it Byte Sustitution The following figure 9 represents the waveforms generated y the 8-it yte sustitution transformation. The inputs are clock of ns time period, Active High reset, and 28-it state as a standard logic vector, whose output is shifted as explained in the section 2.3. Design utilizes 2% of the area of EPKFC484-, around 28 logic elements are consumed. Figure 9. Waveforms of Shift Row Transformation The following figure 2 represents the waveforms generated y the 2 8-it Mix Columns transformation. The inputs are clock of ns time period, Active High reset, and 28-it state as a standard logic vector, whose output is shifted as explained in the section 2.4. Design utilizes 5% of the area of EPKFC484-, around 56 logic elements are consumed. 28

36 Figure 2. Waveforms of Mix Column Transformation The following figure 2 represents the waveforms generated y the 28-it Key Schedule Generation. The inputs are clock of ns time period, Active High reset, round, and 28-it state as a standard logic vector, whose output is the 28-it key for round one is generated. Design utilizes 74% of the area of EPKFC484-, around 37 logic elements are consumed. Figure 2. Waveforms of Key Schedule Generation 29

37 4.2. Decryption Implementation The decryption implementation results are similar to the encryption implementation. The key schedule generation module is modified in the reverse order. In which last round key is treated as the first round and decreasing order follows. The following figure 22 represents the waveforms generated y the 8-it yte sustitution transformation. The inputs are clock of ns time period, Active High reset, and 8-it state as a standard logic vector, whose output is 8-it Inverse S-ox lookup sustitution. This design utilizes 5% of the area of EPK3TC44-, around 877 logic elements are consumed to implement only 8-it S-ox lookup tale Figure 22. Waveforms of 8-it Inverse Byte Sustitution The following figure 23 represents the waveforms generated y the 8-it Inverse yte sustitution transformation. The inputs are clock of ns time period, Active High reset, and 8-it state as a standard logic vector whose output is shifted as explained in the section 3.3. Design utilizes 2% of the area of EPKFC484-, around 28 logic elements are consumed. 3

38 Figure 23. Waveforms of Inverse Shift Row Transformation The following figure 24 represents the waveforms generated y the 8-it yte sustitution transformation. The inputs are clock of ns time period, Active High reset, and 8-it state as a standard logic vector, whose output is shifted as explained in the section 3.4. Design utilizes 2% of the area of EPKFC484-, around 624 logic elements are consumed. Figure 24. Waveforms of Inverse Mix Column Transformation 3

39 4.3. Hardware Implementation The following figure 25 represents complete hardware implementation of the oth encryption and decryption with key generation modules. Plaintext/Ciphertext 28-it Clk En= or Key Length 2-Bit Encryption/Decryption Round 28-Bit Key Input Output 28-Bit Clk2 Secret Key 28/92/256 Key Schedule Generation Figure 25. Block Diagram of AES Hardware Implementation Key Schedule Generation lock can generate the required keys for the process with secret key and Clk2 as inputs; these generated keys are stored in internal ROM and read y Encryption/Decryption lock for each round to otain a distinct 28-it key with Round counter, where Encryption/Decryption module takes 28-it plaintext or ciphertext as input with respective to the Clk (If En=or process is encryption or decryption respectively). In order to distinguish the numer of rounds, a 2-it Key Length input is given to this module where,, represents (28-it key), 2(92- it key), 4(256-it key) rounds respectively, generates the final output of 28-it cipher or plaintext. 32

40 4.4. Conclusions Optimized and Synthesizale VHDL code is developed for the implementation of oth encryption and decryption process. Each program is tested with some of the sample vectors provided y NIST and output results are perfect with minimal delay. Therefore, AES can indeed e implemented with reasonale efficiency on an FPGA, with the encryption and decryption taking an average of 32 and 34 ns respectively (for every 28 its). The time varies from chip to chip and the calculated delay time can only e regarded as approximate. Adding data pipelines and some parallel cominational logic in the key scheduler and round calculator can further optimize this design. 33

41 REFERENCES [] FIPS 97, Advanced Encryption Standard (AES), Novemer 26, 2 [2] J. Daemen and V. Rijmen, AES Proposal: Rijndael, AES Algorithm Sumission, Septemer 3, [3] ALTERA. Max+plus II VHDL. San Jose. Altera, 996 [4] ALTERA ACEXK Emedded Programmale Logic Family Data Sheet, pdf files, (May 23) [5] ALTERA High-Speed Rijndael Encryption/Decryption Processors, [6] Marcelo B. de Barcelos Design Case, Optimized performance and area implementation of Advanced Encryption Standard in Altera Devices, y, [7] FPGA Simulations of Round 2 Advanced Encryption Standards [8] [9] Tilorg, Henk C. A. van. Fundamentals of Cryptology: A Professional Reference and Interactive Tutorial, New York Kluwer Academic Pulishers, 22 [] Peter J. Ashenden, The Designer's Guide to VHDL, 2 nd Edition, San Francisco, CA, Morgan Kaufmann, 22 34

42 APPENDICES 35

43 Appendix A: Terms and Definitions The following definitions are used throughout this standard Terms Definitions AES Affine Transformation Array Bit Advanced Encryption Standard. A transformation consisting of multiplication y a matrix followed y the addition of a vector. An enumerated collection of identical entities. A inary digit having a value of or. Block Sequence of inary its that comprise the input, output, State, and Round Key. The length of a sequence is the numer of its it contains. Blocks are also interpreted as arrays of ytes. Byte A group of eight its that is treated either as a single entity or as an array of 8 individual its. Encryption or ciphertext Cipher Key Cipher Series of transformations that converts plaintext to using the Cipher Key Secret, cryptographic key that is used y the Key Expansion routine to generate a set of Round Keys; can e pictured as a rectangular array of ytes, having four rows and Nk columns. 36

44 Appendix A (continued) Ciphertext Decryption or Inverse Cipher Key Schedule Data output from the Encryption or input to the decryption. Series of transformations that converts ciphertext to plaintext using the Cipher Key. Routine used to generate a series of Round Keys from the Cipher Key. Plaintext Rijndael Data input to the Cipher or output from the Inverse Cipher. Cryptographic algorithm specified in this Advanced Encryption Standard (AES).Round Key Round keys are values derived from the Cipher Key using the Key Expansion routine; they are applied to the State in the Cipher and Inverse Cipher. State Intermediate Cipher result that can e pictured as a rectangular array of ytes, having four rows and N columns. S-Box A Non-linear sustitution tale used in several yte sustitution transformations and in the Key Schedule routine to perform a onefor-one sustitution of a yte value. Word A group of 32 its that is treated either as a single entity or as an array of 4 ytes 37

45 Appendix B: Cipher Example The following diagram shows the values in the State array as the Encryption progresses for a lock length and a Key length of 6 ytes each (i.e., N = 4 and Nk = 4). Input = f6 a8 88 5a 3 8d a2 e Cipher Key = 2 7e ae d2 a6 a f cf 4f 3c 38

46 Appendix B (continued) 39

47 Appendix B (continued) 4

48 Appendix C: Example Vectors This appendix contains example vectors, including intermediate values for all three AES key lengths (Nk = 4, 6, and 8), for the Encryption and Decryption. All vectors are in hexadecimal notation, with each pair of characters giving a yte value in which the left character of each pair provides the it pattern for the 4 it group containing the higher numered its using the notation explained in Section.22, while the right character provides the it pattern for the lower-numered its. The array index for all ytes (groups of two hexadecimal digits) within these test vectors starts at zero and increases from left to right. AES-28 (Nk=4, Nr=) PLAINTEXT: aaccddeeff KEY: acdef CIPHER (ENCRYPT): round[ ].input aaccddeeff round[ ].k_sch acdef round[ ].start acdef round[ ].s_ox 63ca74953d5cd6ee7a7e8c round[ ].s_row 6353e8c96e4cd775acade7 round[ ].m_col 5f f5c92f7e329d9f9a round[ ].k_sch d6aa74fdd2af72fadaa678fd6a76fe round[ 2].start 89d8e8855ace682d843d8c28fe4 round[ 2].s_ox a76ca997e845d8ada6fc97369 round[ 2].s_row a7ea6997ad739d8c9ca45f686 round[ 2].m_col ff d86a56455fa773ad9 round[ 2].k_sch 692cf643ddfe9c56833fe round[ 3].start f55e5d7adaca94fafa63f7 4

49 Appendix C (continued) round[ 3].s_ox 359c73fcd9ee dc67f68 round[ 3].s_row 3d92268fc74f735767cec59e2d round[ 3].m_col 4c9ce66f77f762c3f868e534df256 round[ 3].k_sch 6ff744ed2c2c9f6c59cf469f4 round[ 4].start fa636a c94668a357244d7 round[ 4].s_ox 2df2343f6d2dd9337ec7536e3f round[ 4].s_row 2d6d7ef3f33e dd5f2c7 round[ 4].m_col ffc538df997e478e7547d69 round[ 4].k_sch 47f7f7c95353e3f96c32cfd58dfd round[ 5].start fa6ed c round[ 5].s_ox f9336d2d9f59d23c42c395 round[ 5].s_row 36339d5f f2c92dc446d23 round[ 5].m_col f4cd45432e554d75fd6c5dd33c round[ 5].k_sch 3caaa3e8a99f9de5f3af57adf622aa round[ 6].start c8677c97ac round[ 6].s_ox e847f5654dadde23f7764fe7f7d49 round[ 6].s_row e8da69477d4653ff7f5e2e747dd4f round[ 6].m_col 986ee74f87f5562c49c8e5ad36 round[ 6].k_sch 5e39f7df7a69296a7553dcaa3f6 round[ 7].start c62fe9f75eedc3cc79395d84f9cf5d round[ 7].s_ox 45f e4624c5f998a4c round[ 7].s_row 45824c6868a499f82e5f5554c round[ 7].m_col c57ec59a9d286f5f4e98c63439 round[ 7].k_sch 4f97ae35fe28c44adf4d4ea9c26 round[ 8].start d876cf79c43a45594add66ff4f round[ 8].s_ox 3e75766c4678dfc2295f6a8fc round[ 8].s_row 3ec22c6fcf768da8567f

50 Appendix C (continued) round[ 8].m_col aa3de7af956ed552ca5f44d23 round[ 8].k_sch a4c659e6af4aef7ad2 round[ 9].start fde3ad25e5dd effe37f round[ 9].s_ox 54f456d97e96a92fa9aa round[ 9].s_row 54d99a6a9a596f4ea72f round[ 9].m_col e9f74eec232f6f2ccf2353c2c7 round[ 9].k_sch df ed9ce2c974e round[].start d6e7c3df25779e626e8689 round[].s_ox 7a9f2789d5f52effd9f3dca4ea7 round[].s_row 7ad5fda789ef4e272ca3d9ff59f round[].k_sch 3d7fe3944a7f37a784d23c5 round[].output 69c4ed86a743d8cd7874c55a INVERSE CIPHER (DECRYPT): round[ ].iinput 69c4ed86a743d8cd7874c55a round[ ].ik_sch 3d7fe3944a7f37a784d23c5 round[ ].istart 7ad5fda789ef4e272ca3d9ff59f round[ ].is_row 7a9f2789d5f52effd9f3dca4ea7 round[ ].is_ox d6e7c3df25779e626e8689 round[ ].ik_sch df ed9ce2c974e round[ ].ik_add e9f74eec232f6f2ccf2353c2c7 round[ 2].istart 54d99a6a9a596f4ea72f round[ 2].is_row 54f456d97e96a92fa9aa round[ 2].is_ox fde3ad25e5dd effe37f round[ 2].ik_sch a4c659e6af4aef7ad2 round[ 2].ik_add aa3de7af956ed552ca5f44d23 round[ 3].istart 3ec22c6fcf768da8567f

51 Appendix C (continued) round[ 3].is_row 3e75766c4678dfc2295f6a8fc round[ 3].is_ox d876cf79c43a45594add66ff4f round[ 3].ik_sch 4f97ae35fe28c44adf4d4ea9c26 round[ 3].ik_add c57ec59a9d286f5f4e98c63439 round[ 4].istart 45824c6868a499f82e5f5554c round[ 4].is_row 45f e4624c5f998a4c round[ 4].is_ox c62fe9f75eedc3cc79395d84f9cf5d round[ 4].ik_sch 5e39f7df7a69296a7553dcaa3f6 round[ 4].ik_add 986ee74f87f5562c49c8e5ad36 round[ 5].istart e8da69477d4653ff7f5e2e747dd4f round[ 5].is_row e847f5654dadde23f7764fe7f7d49 round[ 5].is_ox c8677c97ac round[ 5].ik_sch 3caaa3e8a99f9de5f3af57adf622aa round[ 5].ik_add f4cd45432e554d75fd6c5dd33c round[ 6].istart 36339d5f f2c92dc446d23 round[ 6].is_row f9336d2d9f59d23c42c395 round[ 6].is_ox fa6ed c round[ 6].ik_sch 47f7f7c95353e3f96c32cfd58dfd round[ 6].ik_add ffc538df997e478e7547d69 round[ 7].istart 2d6d7ef3f33e dd5f2c7 round[ 7].is_row 2df2343f6d2dd9337ec7536e3f round[ 7].is_ox fa636a c94668a357244d7 round[ 7].ik_sch 6ff744ed2c2c9f6c59cf469f4 round[ 7].ik_add 4c9ce66f77f762c3f868e534df256 round[ 8].istart 3d92268fc74f735767cec59e2d round[ 8].is_row 359c73fcd9ee dc67f68 round[ 8].is_ox f55e5d7adaca94fafa63f7 44

52 Appendix C (continued) round[ 8].ik_sch 692cf643ddfe9c56833fe round[ 8].ik_add ff d86a56455fa773ad9 round[ 9].istart a7ea6997ad739d8c9ca45f686 round[ 9].is_row a76ca997e845d8ada6fc97369 round[ 9].is_ox 89d8e8855ace682d843d8c28fe4 round[ 9].ik_sch d6aa74fdd2af72fadaa678fd6a76fe round[ 9].ik_add 5f f5c92f7e329d9f9a round[].istart 6353e8c96e4cd775acade7 round[].is_row 63ca74953d5cd6ee7a7e8c round[].is_ox acdef round[].ik_sch acdef round[].ioutput aaccddeeff AES-92 (Nk=6, Nr=2) PLAINTEXT: aaccddeeff KEY: acdef CIPHER (ENCRYPT): round[ ].input aaccddeeff round[ ].k_sch acdef round[ ].start acdef round[ ].s_ox 63ca74953d5cd6ee7a7e8c round[ ].s_row 6353e8c96e4cd775acade7 round[ ].m_col 5f f5c92f7e329d9f9a round[ ].k_sch f2f95c43f4fe round[ 2].start 4f eaa85aff8c9d4fade4 round[ 2].s_ox 84f386faeac97794dd7832dd769 round[ 2].s_row 84edd69a4d76f792d389783fac7 round[ 2].m_col 9f487f794f955f662afc86ad7fa29 45

53 Appendix C (continued) round[ 2].k_sch 544afef55847ffa4856e2e95c43f4fe round[ 3].start c288c7d2af9c62aa fd7 round[ 3].s_ox f77c64f579deaaac432c3d37cfe round[ 3].s_row f543efaccf64aa37cde3d77792c round[ 3].m_col 7a53ecf9d75ac4efc79674cc round[ 3].k_sch 4f9493cad4d48f round[ 4].start f75c7778a327c8ed8cfefca6c37f53 round[ 4].s_ox 684af5cacce ed2ed round[ 4].s_row 68cc8edad2c642ef555244ae878 round[ 4].m_col 7ae98dac6d4a6944dd6e2d3e round[ 4].k_sch 58e5a4a2a5557eff c round[ 5].start 22ffc96a f9c64ae2532 round[ 5].s_ox 936dd47c2fa ade43e43f23 round[ 5].s_row 93faa23c293f4743e4dd de round[ 5].m_col aaa75534cffe57cef6f98efc3e6 round[ 5].k_sch 2a5443a2f8f662e3a95d664c8 round[ 6].start 82e776fdd8a8d8c3c965dfee round[ 6].s_ox cdc972c53854a47e5d64c76594cc28 round[ 6].s_row cd54c cc55d4c727e9c9a465 round[ 6].m_col 92f748fd96e937d622d7725a8a5c round[ 6].k_sch f d7edfc6ca87f33e3c round[ 7].start 67effd4e2ae3dfdcef3d7893 round[ 7].s_ox 8572a542fe57279e86c8df27c44 round[ 7].s_row 85e5c842f864549eca df round[ 7].m_col e93e78f57d4227ef652758accc round[ 7].k_sch e c9ea35fe round[ 8].start c37dce622668accd6d3a2c 46

54 Appendix C (continued) round[ 8].s_ox fe757fe7c8e93477f7e4f6987 round[ 8].s_row fe7c7e7fe7f f678e4 round[ 8].m_col 6cf5edf996ea69c4ef2cfc25762 round[ 8].k_sch ea372a c439e77ff25e round[ 9].start 7255dad3f83ed6c64d527c round[ 9].s_ox 4fc c7caed757f97 round[ 9].s_row 46c576d766e757ca9fc77f round[ 9].m_col 7478cdce8a58d4327a round[ 9].k_sch dd7ee887e2fff6868fc842f9dcc54 round[].start a af4e94d2d2fc44336 round[].s_ox d36f37297efe8d7a3758cca5 round[].s_row d37e37597aa28dc37e8c6ff5 round[].m_col d73cc2d8f6ae8cf2dd983d422e round[].k_sch 859f5f237a8d5a3dcc2952eefd63a round[].start 88ec93ef5e7e46cc32f4c96d2944 round[].s_ox c4cedcae694694e423fdd6f522fa round[].s_row c494ffae62322a45dc4e6fce69dd round[].m_col 7d729336d677dc8f28238ef7 round[].k_sch de6e7827cdf2ca2238fd8aeda32 round[2].start af73eecd856228f27f2d585 round[2].s_ox 79a92e99c3e6cdaa3476ccf7397 round[2].s_row 793e76979c343e9aa72dfa96ccc round[2].k_sch a497a33a78dc9c48c27e3a4d5d round[2].output dda97ca4864cdfe6eaf7aecd79 INVERSE CIPHER (DECRYPT): round[ ].iinput dda97ca4864cdfe6eaf7aecd79 47

55 Appendix C (continued) round[ ].ik_sch a497a33a78dc9c48c27e3a4d5d round[ ].istart 793e76979c343e9aa72dfa96ccc round[ ].is_row 79a92e99c3e6cdaa3476ccf7397 round[ ].is_ox af73eecd856228f27f2d585 round[ ].ik_sch de6e7827cdf2ca2238fd8aeda32 round[ ].ik_add 7d729336d677dc8f28238ef7 round[ 2].istart c494ffae62322a45dc4e6fce69dd round[ 2].is_row c4cedcae694694e423fdd6f522fa round[ 2].is_ox 88ec93ef5e7e46cc32f4c96d2944 round[ 2].ik_sch 859f5f237a8d5a3dcc2952eefd63a round[ 2].ik_add d73cc2d8f6ae8cf2dd983d422e round[ 3].istart d37e37597aa28dc37e8c6ff5 round[ 3].is_row d36f37297efe8d7a3758cca5 round[ 3].is_ox a af4e94d2d2fc44336 round[ 3].ik_sch dd7ee887e2fff6868fc842f9dcc54 round[ 3].ik_add 7478cdce8a58d4327a round[ 4].istart 46c576d766e757ca9fc77f round[ 4].is_row 4fc c7caed757f97 round[ 4].is_ox 7255dad3f83ed6c64d527c round[ 4].ik_sch ea372a c439e77ff25e round[ 4].ik_add 6cf5edf996ea69c4ef2cfc25762 round[ 5].istart fe7c7e7fe7f f678e4 round[ 5].is_row fe757fe7c8e93477f7e4f6987 round[ 5].is_ox c37dce622668accd6d3a2c round[ 5].ik_sch e c9ea35fe round[ 5].ik_add e93e78f57d4227ef652758accc round[ 6].istart 85e5c842f864549eca df 48

56 Appendix C (continued) round[ 6].is_row 8572a542fe57279e86c8df27c44 round[ 6].is_ox 67effd4e2ae3dfdcef3d7893 round[ 6].ik_sch f d7edfc6ca87f33e3c round[ 6].ik_add 92f748fd96e937d622d7725a8a5c round[ 7].istart cd54c cc55d4c727e9c9a465 round[ 7].is_row cdc972c53854a47e5d64c76594cc28 round[ 7].is_ox 82e776fdd8a8d8c3c965dfee round[ 7].ik_sch 2a5443a2f8f662e3a95d664c8 round[ 7].ik_add aaa75534cffe57cef6f98efc3e6 round[ 8].istart 93faa23c293f4743e4dd de round[ 8].is_row 936dd47c2fa ade43e43f23 round[ 8].is_ox 22ffc96a f9c64ae2532 round[ 8].ik_sch 58e5a4a2a5557eff c round[ 8].ik_add 7ae98dac6d4a6944dd6e2d3e round[ 9].istart 68cc8edad2c642ef555244ae878 round[ 9].is_row 684af5cacce ed2ed round[ 9].is_ox f75c7778a327c8ed8cfefca6c37f53 round[ 9].ik_sch 4f9493cad4d48f round[ 9].ik_add 7a53ecf9d75ac4efc79674cc round[].istart f543efaccf64aa37cde3d77792c round[].is_row f77c64f579deaaac432c3d37cfe round[].is_ox c288c7d2af9c62aa fd7 round[].ik_sch 544afef55847ffa4856e2e95c43f4fe round[].ik_add 9f487f794f955f662afc86ad7fa29 round[].istart 84edd69a4d76f792d389783fac7 round[].is_row 84f386faeac97794dd7832dd769 round[].is_ox 4f eaa85aff8c9d4fade4 49

57 Appendix C (continued) round[].ik_sch f2f95c43f4fe round[].ik_add 5f f5c92f7e329d9f9a round[2].istart 6353e8c96e4cd775acade7 round[2].is_row 63ca74953d5cd6ee7a7e8c round[2].is_ox acdef round[2].ik_sch acdef round[2].ioutput aaccddeeff AES-256 (Nk=8, Nr=4) PLAINTEXT: aaccddeeff KEY: acdef acdef CIPHER (ENCRYPT): round[ ].input aaccddeeff round[ ].k_sch acdef round[ ].start acdef round[ ].s_ox 63ca74953d5cd6ee7a7e8c round[ ].s_row 6353e8c96e4cd775acade7 round[ ].m_col 5f f5c92f7e329d9f9a round[ ].k_sch acdef round[ 2].start 4f eaa85efa7232a4e75 round[ 2].s_ox 84f386faeac97df5cfd237c49946 round[ 2].s_row 84efd6a5c946fdf cfac23 round[ 2].m_col d2a395d26ac438d92443e65da95 round[ 2].k_sch a573c29fa76c498a97fce93a572c9c round[ 3].start 859fc28aca78ed8aadc42f69 round[ 3].s_ox adcf257e9c63ec557e95c5ef round[ 3].s_row ad9c7e7e55ef25c5fecc6395 round[ 3].m_col 8dcecc9d ce88a5d 5

58 Appendix C (continued) round[ 3].k_sch 65a8cd244edaa5da4c64ade round[ 4].start 975c66cc9f3fa8a93a28df8eef63 round[ 4].s_ox 884a3378fd75c2d38349e9f876f round[ 4].s_row 88d34ff87678d3f833c294a759e round[ 4].m_col 2822d8ae6f275faf3a78c33 round[ 4].k_sch ae87dffff68a68ed5f3fc567 round[ 5].start c5f27a47e4ff92c5c47554 round[ 5].s_ox 9c689a349fe8499fda678f25592 round[ 5].s_row 9cfa6249fd59a f26e78 round[ 5].m_col ae65a974ef822d73f567d64c877 round[ 5].k_sch 6def486fa54f9275f8e d round[ 6].start c357aae457a2c7d28a8dc99fa round[ 6].s_ox 2e5acf8af6ea9e73ac67a34c286ee2d round[ 6].s_row 2e6e7a2dafc6eef83a86ace7c25a934 round[ 6].m_col 95c33c2e9d29ae25cdefa8cc7 round[ 6].k_sch c656827fc9a79976f294cec6cd5598 round[ 7].start 7f7443c4e243ecc85d8375d54c round[ 7].s_ox d2c583af2f36278fec4cec9d329 round[ 7].s_row d22fc29ffe3a789d832ecc5364c round[ 7].m_col e9ec3ee7c9e87d7535e9ed6944 round[ 7].k_sch 3de23a e727f9e4547cf39 round[ 8].start d653a4696cacf5acaa5d96c5e7d round[ 8].s_ox f6ed49f95e6576e74624c56558ff round[ 8].s_row f6e62ff57458f9e ed654c round[ 8].m_col 574c8669da98435a83e62ca974a5ea round[ 8].k_sch dc95fc27948ad5245a4c87c2f round[ 9].start 5aa858395fd28d7d5ea38868f39c5 5