Advanced Encryption Standard (AES) is a cipher defined by the National Institute of Standards and Technology (NIST) in the Federal Information Processing Standard (FIPS) publication 197. The AES document defines a calculation called an “AES Round” that operates on a block of 128 bits, repeated ten, twelve or fourteen times. Performance criteria and the volume of data encrypted with AES have led to the development of dedicated electronic circuits for the AES Round computations.
The AES Round computations have two different versions, one version for encryption and another version for decryption. A variety of existing designs for AES round circuits can be classified as four basic types. Some circuits implement encryption only, some circuits implement decryption only, some circuits use separate subcircuits for the two operations, and some circuits use shared components that implement both operations.
For applications implementing both encryption and decryption, a design with separate subcircuits is fastest. However, a disadvantage of the separate subcircuits is that such designs are large and expensive. A design that uses the same components for both encryption and decryption is smaller and cheaper. The AES specification provides alternating linear and nonlinear transformations. A linear transformation is a matrix multiplication operation in boolean algebra that is commonly computed with a network of exclusive-OR (XOR) gates.
The linear transformation used in decryption is the inverse of the linear transformation used in encryption. A matrix for decryption is found by inverting the corresponding matrix for encryption, resulting in a completely different matrix. Thus, a completely different XOR network is implemented for decryption. Little opportunity exists to save area by using the same XOR gates for both the encryption and the decryption. In contrast, the nonlinear transformation is an inversion in 256-element Galois Field algebra, analogous to the function (1/X) in normal arithmetic. Therefore, the nonlinear transformation is an inverse of itself, since 1/(1/X)=X. Hence, the nonlinear transformation to be computed is the same in both the encryption and the decryption. As such, the components used for computing the nonlinear transformation are suitable for both encryption and decryption. As the area of a circuit that calculates the nonlinear transformation is typically larger than the area of a circuit that calculates the linear transformations, such reuse results in substantial area savings. However, a disadvantage of the conventional reuse approaches is that various details of the sequence of operations in the AES document are obstacles to making such a design run fast.