Because the application of AES (Advanced Encryption Standard) is fully in development for various (wireless) applications, there is growing likeliness of future usage by others. In particular, IEEE 802.15.4 has defined several AES based security provisions for different levels of protection and with various key-sizes and various secondary encryption additions.
For low cost systems that are battery powered or use energy harvesting, a low (peak) power and an area efficient security implementation are very important.
Ref [1] specifies the algorithm for AES encryption. AES is a symmetric block cipher, which means that the plain text is found by de-encrypting the cipher text with the same key. FIG. 1 illustrates the basic transformation steps of the AES defined algorithm: SubBytes, ShiftRows, MixColumns, AddRoundKey. FIG. 2 shows the 4 steps in more detail. They are all linear transformations, except for the SubBytes operation, which is non-linear. The order of the SubBytes and the ShiftRows transformations can be exchanged, because the SubBytes operation performs a mapping of byte values, keeping the order in tact, while the ShiftRows operation changes the order of the bytes, keeping the values in tact. With AES-128 a 128 bit key is used and the cycle of the 4 steps is made 10 rounds, but other key sizes of 192 and 256 are also possible with more rounds.
Many different architectures for the best performance with respect to throughput, energy consumption and chip area have been investigated. Architectures with the highest throughput and largest area use a data path width of 128 bits, and employ an unrolling of the round operations. Architectures that are optimised for the smallest area use a data path width of 8 bits, and perform the rounds consecutively. In 8-bit designs, the most area and energy is used by the register that holds the state and key variables. Some designs have employed a single port memory to allow storage of the state variable, and others use specially designed register structures that combine storage of state variable with the ShiftRows transformation (byte permutation units). Ref [5] gives an overview of memory and register based byte permutation units.
FIG. 3 shows a high level architecture for an AES core. The high level architecture is disclosed in Ref [3]. FIG. 4 shows a detailed flow diagram for the AES core shown in FIG. 3. The AES core comprises a byte permutation unit 1, a first S-box 2, a MixColumns multiplier 3, a parallel-to-serial converter 4, a second S-box 5 and a key expansion unit 6. The AES core is an 8-bits AES core. All signal lines shown in FIGS. 3 and 4 corresponds to 8-bits wide lines and each delay, multiplexer, demultiplexer, XOR (logical exclusive OR operation) etc., are elements which process the 8-bits input signal signals to obtain 8-bits output signals. The AES core shown in FIG. 4 will be used as a reference AES core to elucidate the advantages of the embodiment of the present invention.