先進加密標準(Advanced Encryption Standard)演算法是一種對稱式加密系統的新的標準。這演算法是由美國國家標準與技術協會於西元2001年所公開發表的新的標準，以用來取代資料加密標準(Data Encryption Standard)演算法。近年來，有很多關於AES演算法的硬體實現已經被發表。在大部份的設計研究中，主要是著重在AES演算法中S-Box的實現，但對於回合金鑰產生程序方面，通常是採事先運算回合金鑰，再利用記憶體或暫存器的方法來實現。這種事先運算金鑰產生程序的好處為在硬體實現上是相當的簡單、方便，可以直接地取得任何所需的回合金鑰，但缺點是這種方式將會有較多的功率消耗。
　　這篇論文介紹我們所採用的一種有效的硬體實現方式。有別於事先運算金鑰產生程序的方法，我們利用即時金鑰產生程序的方法來產生回合金鑰。這種即時金鑰產生程序的好處在於它可降低功率的消耗，而且它也適用於系統晶片設計上的整合。同時，我們改良了AES演算法中的回合運算以降低硬體設計上的複雜度和提高執行的效能。相較於原本的回合運算，我們改良過的回合運算可減少2個MUX邏輯閘的延遲時間和5到8個XOR邏輯閘的延遲時間。使用標準的0.18微米互補式金氧半導體製程(UMC 0.18□m CMOS)，我們的設計可達到125MHz的時脈速度；當加密金鑰長度為128-bit時，每秒的資料處理量為1.6Gbps；當加密金鑰長度為192-bit時，每秒的資料處理量為1.33Gbps；當加密金鑰長度為256-bit時，每秒的資料處理量為1.13Gbps。此外，電路的消耗功率和可測試性也是我們設計上的考慮重點。我們應用一些標準低功率設計的方法來降低功率的消耗，我們設計的功率消耗大約是56毫瓦。在電路的可測試性方面，我們設計的fault coverage大約是99.93%。

The Advanced Encryption Standard (AES) algorithm is a new standard of symmetric-key crypto system. The algorithm was announced by the National Institute of Standards and Technology (NIST) of the United States in 2001 in order to replace the Data Encryption Standard (DES) algorithm. In recent years, many hardware implementations have been proposed. Most of these hardware designs focused on the S-Box, and implemented the key scheduler by the memory based method. We propose an efficient hardware implementation of the AES algorithm using on-the-fly key scheduling method. Different from the method of the memory based key scheduler, the proposed method reduces the power dissipation and is suitable for integration into the system chips. We also modify the round function to shorten the path delay and reduce the hardware complexity, i.e., there are 2 MUXes and 5 XOR gates for encryption or 2 MUXes and 8 XOR gates for decryption saved in the critical path. Also, the Electronic Code Block mode (ECB), Cipher Block Chaining mode (CBC), and Counter mode (CTR) operating modes are supported in our design. Using a typical 0.18¹m CMOS technology, a 125MHz clock rate is achieved, and the throughput rate is 1.6Gbps for 128-bit key, 1.33Gbps for 192-bit key, and 1.13Gbps for 256-bit key, respectively. Moreover, power and testability issue of the design are also considered. We apply standard low-power design methods to reduce power, and the power consumption of the AES chip is about 56mW in the worst case. In addition, the fault coverage is about 99.93% and the gate count is about 67.9K in the design.

[1] National Institute of Standards and Technology (NIST), Advanced Encryption Standard (AES), National Technical Information Service, Springfield, VA 22161, Nov. 2001.
[2] National Institute of Standards and Technology (NIST), Data Encryption Standard (DES), National Technical Information Service, Springfield, VA 22161, Oct. 1999.
[3] W. Stallings, Cryptography and Network Security: Principles and Practice. 3rd ed., Prentice-Hall Inc., Upper Saddle River, N.J., 2003.
[4] J. Daemen, L. R. Knudsen, and V. Rijmen, "The block cipher square", in Fast Software Encryption, E. Biham, Ed. 1997, vol. 1267 of LNCS, pp. 149-165, Springer-Verlag.
[5] B. Song and J. Seberry, "Further observations on the structure of the AES algorithm", in Fast Software Encryption (FSE) 2003. 2003, vol. 2887 of LNCS, pp. 223-234, Springer-Verlag.
[6] N. Ferguson, R. Schroeppel, and D. Whiting, "A simple algebraic representation of rijndael", in Selected Areas in Cryptography (SAC) 2003. 2003, vol. 2259 of LNCS, pp. 103-111, Springer-Verlag.
[7] V. Fischer and M. Drutarovsky, "Two methods of Rijndael implementation in reconfigurable hardware", in Cryptographic Hardware and Embedded Systems (CHES) 2001. May 2001, vol. 2162 of LNCS, pp. 77-92, Springer-Verlag.
[8] I. Verbauwhede, P. Schaumont, and H. Kuo, "Design and performance testing of a 2.29-GB/s Rijndael processor", IEEE Journal of Solid-State Circuits, vol. 38, no. 3, pp. 569-572, Mar. 2003.
[9] H. Kuo and I. Verbauwhede, "Architectural optimization for a 1.82 Gbits/sec VLSI implementation of the AES Rijndael algorithm", in Cryptographic Hardware and Em-bedded Systems (CHES) 2001, C. K. Koc, D. Naccache, and C. Paar, Eds. May 2001, vol. 2162 of LNCS, Springer-Verlag.
[10] A. Satoh, S. Morioka, K. Takano, and S. Munetoh, "A compact Rijndael hardware architecture with S-box optimization", in ASIACRYPT 2001. 2001, vol. 2248 of LNCS,
pp. 239-254, Springer-Verlag.
[11] M.-H. Li, "A Gbps AES cipher", Master Thesis, Dept. Computer Science, National Tsing Hua University, Hsinchu, Taiwan, June 2001.
[12] A. Rudra, P. K. Dubey, C. S. Jutla, V. Kumar, J. R. Rao, and P. Rohatgi, "Efficient Rijndael encryption implementation with composite field arithmetic", in Cryptographic Hardware and Embedded Systems (CHES) 2001. May 2001, vol. 2162 of LNCS, pp. 171-184, Springer-Verlag.
[13] S. Morioka and A. Satoh, "A 10Gbps full-AES crypto design with a twisted-BDD S-Box architecture", in Proc. IEEE Int. Conf. Computer Design (ICCD), Freiburg, Germany,
Sept. 2002, pp. 98-103.
[14] S. Morioka and A. Satoh, "An optimized S-box circuit architecture for low power AES design", in Cryptographic Hardware and Embedded Systems (CHES) 2002. 2002, vol.
2523 of LNCS, pp. 172-186, Springer-Verlag.
[15] A. Satoh, S. Morioka, K. Takano, and S. Munetoh, "Unified hardware architecture for 128-bit block ciphers AES and Camellia", in Cryptographic Hardware and Embedded Systems (CHES) 2003. Aug. 2003, Springer-Verlag.
[16] S. Mangard, M. Aigner, and S. Dominikus, "A highly regular and scalable AES hardware architecture", IEEE Trans. Computers, vol. 52, no. 4, pp. 483-491, Apr. 2003.
[17] C.-P. Su, T.-F. Lin, C.-T. Huang, and C.-W. Wu, "A high-throughput low-cost AES processor", IEEE Communications Magazine, vol. 41, no. 12, pp. 86-91, Dec. 2003.
[18] J. H. Shim, D. W. Kim, Y. K. Kang, T. W. Kwon, and J. R. Choi, "A rijndael cryptoprocessor using shared on-the-fly key scheduler", in Proc. 3rd IEEE Asia-Pacific Conf. ASIC, Taipei, Aug. 2002, pp. 89-92.
[19] J. Wolkerstorfer, E. Oswald, and M. Lamberger, "An ASIC implementation of the AES SBoxes", in CT-RSA 2002. 2002, vol. 2271 of LNCS, pp. 67-78, Springer-Verlag.
[20] S.-Y. Wu, S.-C. Lu, and C.-S. Laih, "Design of aes based on dual cipher and composite field", in Topics in Cryptology - CT-RSA 2004. 2004, vol. 2964 of LNCS, pp. 25-38, Springer-Verlag.
[21] V. Rijmen, "Efficient implementation of the Rijndael S-box", http://www.esat.kuleuven.ac.be/~rijmen/rijndael/sbox.pdf.
[22] M. Pedram, "Power minimization in IC design: principles and applications", ACM Trans. Design Automation of Electronic Systems, vol. 1, no. 1, pp. 3-56, Jan. 1996.
[23] J. Daemen and V. Rijmen, "Description of known answer tests and monte carlo tests for advanced encryption standard (AES) candidate algorithm submissions", http://www.esat.kuleuven.ac.be/~rijmen/rijndael/katmct.pdf, 1998.