IST-2002-507932ECRYPTEuropean Network of Excellence in CryptologyNetwork of ExcellenceInformation Society TechnologiesD.VAM.2State of the Art in Hardware ArchitecturesDue date of deliverable: 31. July 2005Actual submission date: 05. September 2005Start date of project: 1. February 2004 Duration: 4 yearsLead contractor: Institute for Applied Information Processing and Communications (IAIK)Revision 1.0Project co-funded by the European Commission within the 6th Fram ework ProgrammeDissemination LevelPU Public XPP Restricted to other programme participants (including the Commission services)RE Restricted to a group specified by the consortium (including the Commission services)CO Confidential, only for members of the consortium (including the Commission services)State of the Art in Hardware ArchitecturesEditorElisabeth Oswald (IAIK)ContributorsMartin Feldhofer (IAIK), Kerstin Lemke (RUB), Elisabeth Oswald (IAIK),Fran¸cois-Xavier Standaert (UCL), Thomas Wollinger (RUB)and Johannes Wolkerstorfer (IAIK)05. September 2005Revision 1.0The work described in this report has in part b een supported by the Commission of the European Com-munities through the IST program under contract IST-2002-507932. The information in this document isprovided as is, and no warranty is given or implied that the information is fit for any particular purpose. Theuser thereof uses the information at its sole risk and liability.Contents1 Executive Summary 12 Introduction to Hardware Architectures 32.1 Historical Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.2 Cryptographic Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2.1 Cryptographic (Co-)Processors . . . . . . . . . . . . . . . . . . . . . . 42.2.2 Smart Cards and USB Devices . . . . . . . . . . . . . . . . . . . . . . 52.2.3 RFID tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3 FPGA vs. ASIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.4 Hardware-Design Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . 72.4.1 Top-Down Design Approach . . . . . . . . . . . . . . . . . . . . . . . . 82.4.2 Semi-Custom Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.5 Hardware Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 AES Hardware Architectures 113.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2 Description of the Advanced Encryption Standard AES . . . . . . . . . . . . 123.2.1 AES Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . 123.2.2 AES Round Transformation . . . . . . . . . . . . . . . . . . . . . . . . 133.2.3 Hardware Aspects of AES . . . . . . . . . . . . . . . . . . . . . . . . . 133.3 Lightweight Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.3.1 Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.3.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.3.3 Implementation Details . . . . . . . . . . . . . . . . . . . . . . . . . . 173.3.4 Characteristics of Lightweight Implementations . . . . . . . . . . . . . 203.4 High-speed Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233.4.1 Design Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233.4.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.4.3 Implementation Details . . . . . . . . . . . . . . . . . . . . . . . . . . 283.4.4 Characteristics of High-speed Implementations . . . . . . . . . . . . . 314 Conclusions and Future Work 35iiiChapter 1Executive SummaryThis is the first of two deliverables that survey state-of-the-art hardware architectures forcryptographic algorithms. Hardware implementations of cryptographic algorithms have along history. Traditionally, algorithms were implemented in hardware to achieve a higherspeed than with implementations in software. The requirements of contemporary and futureapplications however, demand often other properties of hardware implementations.Today we can identify two application scenarios where hardware implementations areadvantageous over software implementations. Firstly, these are high-speed applications wherea cryptographic co-processor performs the cryptographic operations in order to relieve the restof the system. Secondly, these are applications where low power and low area requirementsare stringent. In both application scenarios, the secure storage of keys is important.In this deliverable we survey hardware architectures that are suitable for cryptographic ap-plications. In particular, we analyze various hardware implementations of the AES algorithm.The focus of this survey will be on throughput-optimized circuits and on circuits designed foroperation in very constricted environments where the power budget and the silicon area aresparse resources.In order to provide a profound analysis of existing AES hardware we describe the AESalgorithm briefly. The analysis of existing AES hardware s hows considerations for light-weightimplementations and for high-performance implementations. For both implementation goals,pointers and references to state-of-the-art implementations are given. Concepts and designconsiderations behind these implementations, which allow to push the limits of AES hardwareimplementations, are summarized in a compact manner.12 ECRYPT — Europ e an NoE in CryptologyChapter 2Introduction to HardwareArchitecturesThis is the first of two deliverables that survey state-of-the-art hardware architectures forcryptographic algorithms. Hardware implementations of cryptographic algorithms …