editorial      aes      sha      vest      alternativesi     graveyard
Header
home   fpga-iterated   fpga-unrolled   asic-iterated   asic-unrolled   cryptanalysis
hardware-ciphers.com > aes > asic-iterated
Survey of iterated AES hardware implementations in standard cell ASIC

There are two broad approaches to implementing AES in hardware; the first is a low-area construction that iterates a small round function several times, the second is a high performance, large-area construction that fully unrolls the round-function. This page surveys the iterated constructions.

Iterated constructions require less circuit area than unrolled implementations and are able to perform CBC, OFB and other feedback modes of operation at full speed. This feedback mode is required for HMAC-CBC message authentication codes. (For a modern single-pass encrypt with MAC suitable for iterated and unrolled AES, see OCB Mode).

Careful consideration should be given to selecting key-lengths of your design. Under a Time-Memory Trade Off attack model the security of AES is less than the key-length for the CBC, ECB, OCB, OFB and OMAC modes of operation. This general position is also supported when considering the security of the cipher under a parallel attack model.

Furthermore, highly iterated, low-area constructions are particularly vulnerable to side-channel attacks. The paper [053] describes a side-channel attack that can determine an entire 128-bit AES key in as little as 40 measurements! Side-channel attacks have been demonstrated as viable against 128-bit wide, fully unrolled (2758 DFF) AES implementations in ASIC chips (PDF).

We have included the Synaptic Laboratories VEST-4 performance figures in this survey as part of our eSTREAM commitments. We note that the VEST-4 cipher offers larger security margins than AES and accepts a 160-bit key and is capable of generating a 160-bit single-pass MAC and 160-bit HASH digest in a single module.

The original survey of AES, SHA and VEST hardware cipher implementations submitted by Synaptic Laboratories to support the eCRYPT ESTREAM process can be downloaded here in PDF format. The downloadable survey includes static-power estimates of some AES implementations.

Standard Cell: 128-bit key only
 
Ref Author Product F() Geometry Data
Stages		 Data
Bus		 K
gates 		K
bits		 Clock Mbps
081 *** V. Rijmen AES on a Grain of Sand E/D 0.35 1032 (E)
1165 (D) 		8 ~3.4 0 80 9.9 (E)
8.8 (D)
031 IP Cores Ultra Compact Enc E 0.18 160 8 3.0 0 80 64
*0.13 150 120
075 *** IBM Research Rijndael-54-Area E/D 0.11 54 32 5 0 131 311
075 *** IBM Research Rijndael-44-Area E/D 0.11 44 32 6 0 138 400
VEST Synaptic Laboratories VEST-4-1x
Stream Cipher		 E/D/H ^0.11 1 4 6 0 (556)
312		 (2496)
1248
075 *** IBM Research Rijndael-54-Speed E/D 0.11 54 32 10 0 222 526
075 *** IBM Research Rijndael-32-Area E/D 0.11 32 32 8 0 137 548
075 *** IBM Research Rijndael-44-Speed E/D 0.11 44 32 11 0 219 638
019 Cadence AES-128 E/D ? 42 32 36 0 260 792
075 *** IBM Research Rijndael-22-Area E/D 0.11 22 32 9 0 137 798
075 *** IBM Research Rijndael-32-Speed E/D 0.11 32 32 15 0 219 875
034 CAST AES-Enc+Key E/D 0.18 44 32 11 0 384 1117
075 *** IBM Research Rijndael-22-Speed E/D 0.11 22 32 17 0 218 1267
075 *** IBM Research Rijndael-11-Area E/D 0.11 11 32 12 0 145 1691
007 Helion Tech Fast Enc and Dec
Full Duplex E/D		 E/D 0.18 11 128 57 0 200 2327
075 *** IBM Research Rijndael-11-Speed E/D 0.11 11 32 21 0 224 2609
VEST Synaptic Laboratories VEST-4-2x
Stream Cipher		 E/D/H ^0.11 1 4 7 0 (335)
312		 (2682)
2496
020 Asics.ws 128-Encrypt E 0.18 12 128 38 0 265 2827
007 Helion Tech Fast Enc E 0.18 11 128 27 0 **250 2909
034 CAST AES-Enc+Key E/D 0.18 11 128 38 0 250 2909
022 Alireza Hodjat Feedback (86 mW) E/D 0.18 11 128 73 0 295 3430
057 IBM Research Twisted-BDD + Basic D *0.13 10 128 62 0 699 8900
057 IBM Research Twisted-BDD + TBox D *0.13 10 128 282 0 885 11300
057 IBM Research Twisted-BDD + TBox E *0.13 10 128 168 0 909 11600

^ 0.11 geometry is based upon the slower platform asic and not a standard-cell asic design flow.
* 0.13 geometries may achieve a full 2x clock-speed gain over 0.18 geometries.
** Helion Tech claims that speeds approaching 300 MHz are possible with some EDA toolsets and standard cell libraries. They requested we surveyed the cipher at 250 MHz as this is a realistic expectation for most toolsets.
*** eSTREAM selected these ciphers for comparing new cipher submissions against in constrained hardware environments.

Standard Cell: 128/192/256-bit: 128-bit key mode

Ref Author Product F() Geometry Data
Stages		 Data
Bus		 K
gates 		K
bits		 Clock Mbps
027 Elliptic Semi. Tiny AES Core E/D ? 262 ?   8 0 (?) 81 (Claimed) 40
007 Helion Tech Standard Enc E 0.18 48 32 11 0 200 533
008 North Pole Eng. Compact E/D 0.25 45 32 3 160 278 790
019 Cadence AES-HP E/D ? 12 128 64 0 200 2133

Standard Cell: 128/192/256-bit: 192-bit key mode

Ref Author Product F() Geometry Data
Stages		 Data
Bus		 K
gates 		K
bits		 Clock Mbps
028 Elliptic Semi. Tiny AES Core E/D ? 312 ? 8 0 81 33
007 Helion Tech Standard Enc E 0.18 56 32 11 0 200 457
019 Cadence AES-192 E/D ? 50 32 42 0 260 665
008 North Pole Eng. Compact E/D 0.25 53 32 3 160 278 671
019 Cadence AES-HP E/D ? 14 128 64 0 200 1828

Standard Cell: 128/192/256-bit: 256-bit key mode

Ref Author Product F() Geometry Data
Stages		 Data
Bus		 K
gates 		K
bits		 Clock Mbps
[028] Elliptic Semi. Tiny AES Core E/D ? 362 ? 8 0 81 29
[007] Helion Tech Standard Enc E 0.18 64 32 11 0 200 400
[019] Cadence AES-256 E/D ? 58 32 40 0 260 574
[008] North Pole Eng. Compact E/D 0.25 61 32 3 160 278 583
[019] Cadence AES-HP E/D ? 16 128 64 0 200 1600
[007] Helion Tech Fast Enc E 0.18 15
(claimed)		 128 31 0 200 1706
(1828)

Standard Cell: 256-bit key only

Ref Author Product F() Geometry Data
Stages		 Data
Bus		 K
gates 		K
bits		 Clock Mbps
[007] Helion Tech Fast Enc and Dec
Full Duplex E/D 		E/D 0.18 15 128 60 0 200 1706
References

[007] Helion Technology, “AES Core for FGPA and ASIC”, Helion Technology, [Link]

[008] North Pole Engineering, “AES Core”, North Pole Engineering. [Link]

[019] Cadence, “AES Cores: Technical Data Sheet”, Cadence, July 2003, [PDF]

[020] Asics.ws, “(Free) AES IP Core”, Asics.ws, Feburary 2004, [Link]

[022] Alireza Hodjat (bib), “An over 3 Gbits/s AES coprocessor in feedback and non-feedback modes of operation”, [Link]

[027] Asics.ws, “(Free) DES / Triple DES IP Core”, Asics.ws, July 2004. [Link]

[028] Elliptic Semiconductor, “CLP-11; Tiny AES Core; Preliminary Data Sheet”, Elliptic Semiconductor, 2004, CLP-11_40623.pdf [Updated PDF]

[031] IP Cores Inc, “Ultra-Compact Advanced Encryption Standard Core”, IP Cores Inc, April 2005. [PDF]

[034] CAST, “AES: Advanced Encryption Standard Core on ASIC”, CAST, August 2005. [PDF]

[053] Kai Schramm, Gregor Leander (bib), Patrick Felke, Christof Paar (bib), "A Collision-Attack on AES: Combining Side Channel- and Differential-Attack", CHES 2004, page 163-175. [PDF]

[057] Sumio Morioka, Akashi Satoh, "A 10 Gbps Full-AES Crypto Design with a Twisted-BDD S-Box Architecture" iccd, p. 98, 2002 IEEE International Conference on Computer Design (ICCD'02), 2002. [Abstract]

[075] Akashi Satoh, Sumio Morioka, Kohji Takano, Seiji Munetoh, "A Compact Rijndael Hardware Architecture with S-Box Optimization.", In Advances in Cryptology — Asiacrypt 2001, volume 2248 of LNCS, pages 239–254. Springer, 2001. [PDF]

[081] Martin Feldhofer (bib), Johannes Wolkerstorfer (bib), Vincent Rijmen (bib), "AES implementation on a grain of sand", October 2005. [PDF]
     disclaimer en ]