AES-GCM

1

Efficient and High-Performance ParallelHardware Architectures for the AES-GCM

Mehran Mozaffari-Kermani and Arash Reyhani-Masoleh

Abstract—Since its acceptance as the adopted symmetric-key algorithm, the Advanced Encryption Standard (AES) and its recentlystandardized authentication Galois/Counter Mode (GCM) have been utilized in various security-constrained applications. Many of theAES-GCM applications are power and resource constrained and require efficient hardware implementations. In this paper, differentapplication-specific integrated circuit (ASIC) architectures of building blocks of the AES-GCM algorithms are evaluated and optimizedto identify the high-performance and low-power architectures for the AES-GCM. For the AES, we evaluate the performance of morethan 40 S-boxes utilizing a fixed benchmark platform in 65-nm CMOS technology. To obtain the least-complexity S-box, the formulationsfor the Galois Field (GF) sub-field inversions in GF (24) are optimized. By conducting exhaustive simulations for the input transitions,we analyze the average and peak power consumptions of the AES S-boxes considering the switching activities, gate-level netlists, andparasitic information. Additionally, we present high-speed, parallel hardware architectures for reaching low-latency and high-throughputstructures of the GCM. Finally, by investigating the high-performance GF (2128) multiplier architectures, we benchmark the proposedAES-GCM architectures using quadratic and sub-quadratic hardware complexity GF (2128) multipliers. It is shown that the performanceof the presented AES-GCM architectures outperforms the previously reported ones in the utilized 65-nm CMOS technology.

Index Terms—Advanced Encryption Standard, Galois/Counter Mode, High Performance, Low Power.

�

1 INTRODUCTION

THE Advanced Encryption Standard-Galois/CounterMode (AES-GCM) provides authentication and con-

fidentiality for sensitive data simultaneously. In the AES-GCM, data confidentiality is provided by the AdvancedEncryption Standard (AES) [1]. The AES was acceptedby the National Institute of Standards and Technology(NIST) in 2001 as the replacement for the previous cryp-tographic standards. Since then, it has been included inwireless standards of Wi-Fi [2] and WiMAX [3] and manyother applications, ranging from the security of smartcards to the bitstream security mechanisms in FPGAs [4].The authentication of the AES-GCM is provided by theGalois/Counter Mode (GCM) [5] using a universal hashfunction. The AES-GCM has been used for a numberof applications such as the new LAN security standardWLAN 802.1ae (MACSec) [6] and Fibre Channel SecurityProtocols (FC-SP) [7]. Moreover, it has been utilized ina number of cores from industry, see, for example, [8],[9], and [10]. In addition, two AES-GCM software-basedimplementations have been presented in [11] and [12].

Among the transformations in the AES encryption, theSubBytes (S-boxes) is the only non-linear one, requiringthe highest area and consuming much of the AES power[13]. Therefore, the performance metrics of the S-boxesaffect those for the entire AES encryption significantly.For low-complexity implementations, the S-box can berealized using logic gates in composite fields. These S-boxes can also be pipelined for achieving high perfor-

• The authors are with the Department of Electrical and Computer Engi-neering, The University of Western Ontario, London, Ontario, Canada.E-mail addresses: {mmozaff and areyhani}@uwo.ca.

mance. On the other hand, the S-boxes based on look-uptables (LUTs) could be area-efficient when implementedutilizing the memory resources available on FPGAs. Insome previous works such as [13], [14], [15], [16], [17],and [18], one specific S-box and in [19], three reportedS-boxes have been synthesized on ASIC. However, ex-haustive search has not been performed for all suitablecomposite fields to evaluate their performance metricsusing the same technology.

It is also noted that in some other works, see, forinstance, [20], [21], [22], [23], [24], and [25], the hardwareand timing complexities of different composite field S-boxes have been evaluated in terms of logic gates (in [26],software implementations have been performed). How-ever, benchmarking the performance (including powerconsumptions through simulation-based approaches) ofthe S-boxes implementations on hardware platforms hasnot been performed in these works.

In this paper, we logic-gate optimize and performcomprehensive ASIC syntheses of more than 40 differentS-boxes for deriving their performance metrics. Thisbenchmarking, which is done on the same platform,results in having a clear picture of the performancemetrics of different designs.

Different GCM architectures have been presented inthe literature. In [27], [28], and [29], the sequentialmethod for the hardware implementation of the GCMfunction is adopted. Although this method of realizationis area-efficient, it needs many clock cycles (equal tothe number of input blocks), reducing the performanceof the architecture. Because of the low throughput ofthe sequential method, a parallel method is proposedin [30] which uses two GF (2128) multipliers to perform

Digital Object Indentifier 10.1109/TC.2011.125 0018-9340/11/$26.00 © 2011 IEEE

IEEE TRANSACTIONS ON COMPUTERSThis article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.

2

this operation in parallel. This parallel implementationhas been generalized in [31] and [32] so that q, q ≥ 2,parallel GF (2128) multiplications are performed concur-rently. Very recently, a high-performance approach forcomputing the GHASHH function for long messageshas been proposed in [33]. However, in this schemethe hardware complexity is increased. In this paper,a high-performance parallel method for obtaining theGCM by relying on the low-complexity powers of thehash subkey is proposed. Without pre-computing thehash subkey exponents, compact realizations of theseexponents are obtained and implemented. This resultsin high-throughput and low-latency GCM hardware ar-chitectures, suitable for high-performance applications.

The contributions of this paper by referring to theircorresponding sections are summarized as follows.

• Logic-gate minimizations for the polynomial ba-sis inversion in GF (24) are performed (Lemma 1).Moreover, we synthesize the structures of differentAES S-boxes using the Synopsys R© Design Vision R©

(which is the graphical user interface to Synopsys R©

Design Compiler R©) [34] in STM 65-nm CMOS stan-dard technology [35] (Section 3). Then, the areas anddelays of these hardware architectures are derivedand compared (Table 1).

• To achieve the least dynamic power-consumingAES S-box, we obtain the average and peak powerconsumptions of the S-boxes through exhaustivesearches considering the possible 28(28−1) = 65280input transitions (Table 2). These derivations arebased on a timing simulation-based analysis us-ing the switching activities of internal nodes withSynopsys R© PrimeTime R© PX [34] and ModelSim R©

[36].• Using a complexity reduction technique, the hard-

ware complexities of different architectures for thesubkey exponentiations in the GCM are reduced(Section 4). Then, by utilizing these low-complexityexponentiations, we propose efficient architecturesfor the GCM, yielding high throughput and lowlatency (Algorithm 1).

• Finally, the proposed hardware architectures for theAES-GCM are synthesized considering two typesof GF (2128) multipliers (Section 5). We investigatethe performance of quadratic and six different sub-quadratic complexity GF (2128) multipliers (Table 5).It is shown that the proposed architectures for theAES-GCM have higher throughput and efficiencyand reach lower latency compared to the previouslyreported ones (Table 7 and Fig. 8).

The organization of this paper is as follows. In Section2, preliminaries related to the AES-GCM are presented.In Section 3, logic-gate optimizations for the inversionsin GF (24) within the S-boxes are presented and wepresent the results of our syntheses for different S-boxes.Power consumption derivations and comparisons of theS-boxes through a simulation-based method are also

presented in this section. In Section 4, the proposed high-performance architectures for implementing the GCMare presented. Section 5 presents the ASIC synthesesand comparisons of the proposed architectures and thepreviously reported ones. Finally, conclusions are madein Section 6.

2 THE AES-GCMIn this section, we present preliminaries for the AES-GCM algorithm. In what follows, the AES (used forconfidentiality) and the GCM (used for authentication)algorithms in the AES-GCM and their hardware archi-tectures are presented.

2.1 The Advanced Encryption Standard

In the AES-GCM, only the AES encryption is utilizedwith the input and the output blocks of 128 bits. How-ever, based on the security requirements, the key sizecould be determined as AES-128 (with 10 rounds), AES-192 (with 12 rounds), or AES-256 (with 14 rounds) [1].In the AES encryption, all the rounds except for the lastround have four transformations of SubBytes, ShiftRows,MixColumns, and AddRoundKey. For the last round, Mix-Columns is eliminated and only three transformations ofSubBytes, ShiftRows, and AddRoundKey are used.

The transformation SubBytes (S-boxes) is implementedby 16 S-boxes. In the S-box, each byte of the inputstate is substituted by a new byte. In ShiftRows, thefirst row of the state remains intact and the four bytesof the last three rows of the input state are cyclicallyshifted. In the MixColumns transformation, each columnis modified individually and in the final transformation,AddRoundKey, modulo-2 addition of the input state andthe key of the corresponding round is performed [1].

For realizing the S-box, the irreducible polynomial ofP (x) = x8 + x4 + x3 + x + 1 is used to construct thebinary field GF (28). Let I ∈ GF (28) and O ∈ GF (28)be the input and the output of the S-box. Then, theS-box consists of finding the multiplicative inversion,i.e., I−1 ∈ GF (28) with the exception of mapping thezero input to the zero output, followed by the affinetransformation in GF (28) [1].

In what follows, we present the preliminaries regard-ing the hardware implementations of the S-boxes withinthe AES using LUTs and composite fields.

2.1.1 LUT-Based S-boxesThe AES S-boxes can be implemented using LUTs. Forthis purpose, 256 × 8 memory cells are used to storethe 256 possible 8-bit outputs of each S-box. The LUT-based implementation of the S-boxes is suitable for theFPGA platforms in which block memories are available,see, for example, [37], [38], and [39]. However, althoughthis implementation reaches high-speed architectures, itis not suitable for applications requiring low-complexityAES ASIC implementations [40].


3

The usage of arithmetic in composite fields reducesthe space complexity of the S-box. Moreover, it allowsus to use pipelining and therefore the effective speedof the AES encryption is increased while processingindependent messages. Consequently, the S-boxes imple-mented using composite fields can lead to area-efficientand high-performance structures [40]. In the following,the preliminaries on composite field realizations of theS-boxes are presented.

2.1.2 Composite Field S-boxesLet us briefly explain the composite field arithmetics tocalculate the multiplicative inversion over GF (28). Thecomposite field realizations of the S-box using polyno-mial and normal bases are presented in Fig. 1. As seenin this figure, a transformation matrix transforms a fieldelement I ∈ GF (28) to the corresponding representationin the composite field GF (162), i.e., η. We consider theirreducible polynomial of u2 + u+ ν, where ν is chosenover GF (16) depending on the composite fields. Then,the multiplicative inversion generates the inverse as ψ =η−1. Finally, as seen in Fig. 1, the inverse transformationmatrix transforms the composite field element to the onein the binary field, i.e., O ∈ GF (28).

Using polynomial basis constructed by the irreduciblepolynomial of u2 + u + ν, one can obtain the coordi-nates of ψ as ψh = ηh(η

2hν + ηhηl + η2l )

−1 and ψl =(ηl + ηh)(η

2hν + ηhηl + η2l )

−1 [14]. This multiplicativeinversion in composite fields using polynomial basisis shown in the top part of Fig. 1 by a dotted rect-angle. Similarly, for normal basis, the coordinates ofψ are obtained as ψh = (ηhηl + (ηh

2 + ηl2)ν)−1ηl and

ψl = (ηhηl + (ηh2 + ηl

2)ν)−1ηh [20], shown in the dottedrectangle in the bottom of Fig. 1. One can refer to [14]and [20] for more details on the composite field S-boxarchitectures. As seen in Fig. 1, the above multiplica-tive inversions consist of composite field multiplications,additions and inversion in the sub-field GF (24). In thisfigure, the sub-field multiplications are shown by crossedcircles. Moreover, the circle with plus inside representsGF (24) addition using 4 XOR gates.

2.2 The Galois/Counter ModeAuthenticated encryption and decryption are the twofunctions within the GCM. The authenticated encryptionperforms two tasks; encrypting the confidential dataand computing an authentication tag. The authenticateddecryption function decrypts the confidential data andverifies the tag [5]. The data flow of the authenticatedencryption is shown in Fig. 2. As seen in this figure, themechanism for the confidentiality of data is a variationof the block cipher counter mode of operation, denotedby GCTRK (Galois Counter with the key K) [5]. For theAES-GCM, the block cipher encryption with the specifickey K is shown by AESK in Fig. 2. Then, the func-tion GCTRK performs the block cipher counter modewith the Initial Counter Block (ICB) and its increments

8 8 8 8

Transformation from

binary to composite field

Multiplicative inversion in

composite field

Inverse and affine

transformation

to binary field

Polynomial basis

Normal basis

4

4

4

4

448

4

4

Squaring and

constant mult.Inversion in

GF(24)

4

4

4

4

448

4

4

Squaring and

constant mult.Inversion in

GF(24)

Fig. 1. The composite field S-box architecture usingpolynomial basis and normal basis.

ICB INC INCCB2 CBi-1 CBi

AESK

P1 P2 Pi-1 P*iA1 Am

HH H H H H

LA,C

H

MSBtT

J0

GCTRK

GHASHH

X1 Xm Xm+1 Xm+2 Xn-2 Xn-1 Xn

H

0

128 128

128 128 128

128 128

128 128 128 128 128 128

128

128 128 128 128

128

128

128

128

128

128

128

t

AESK

AESK AESK AESK

AESK

Fig. 2. The GCM authenticated encryption data flow [5].

(CB2 − CBi) and the plaintext blocks (P1 − Pi) as theinputs.

As shown in Fig. 2, the Galois Hash (GHASHH ) func-tion within the GCM provides the authentication forthe confidential data. This function is constructed byGF (2128) multiplications with a fixed parameter, calledthe hash subkey (H). The GHASHH function calculates

n∑j=1

XjHn−j+1 = X1 ·Hn ⊕X2 ·Hn−1 ⊕ . . .⊕Xn ·H,

(1)

where X1 to Xn are the n, 128-bit blocks of the input[5]. It is noted that the hash subkey is generated byapplying the AES to the zero block, i.e., 0 = (0, 0, ..., 0) ∈GF (2128). Then, the GHASHH function calculates (1)[5]. All the arithmetic operations in (1), i.e., additions,GF multiplications, and exponentiations are performedover GF (2128) constructed by the irreducible polynomialP (x) = x128 + x7 + x2 + x+1. As seen in Fig. 2, the totalnumber of input blocks to GHASHH is n = m + i + 1,where m and i are the number of blocks for the addi-tional authenticated data (A1 − Am) and the output of


4

GCTRK , respectively. Eventually, the authentication tagT with length of t bits is derived. In the authenticateddecryption, the same GHASHH procedure is performedon the authenticated data and ciphertext blocks to verifythe tag. For the entire description of the GCM, one canrefer to [5].

3 PERFORMANCE EVALUATIONS AND COM-PARISONS OF THE AES S-BOXES

In this section, logic-gate optimizations for reducing thecomplexity of the S-boxes are presented. We also presentthe implementation results for benchmarking the perfor-mance of different S-boxes. Finally, power consumptionderivations and comparisons of the S-boxes through asimulation-based method are also presented.

The implementation complexities of the S-boxes usingcomposite fields are dependent on the choice of the co-efficients ν ∈ GF (24) and Φ ∈ GF (22) in the irreduciblepolynomials u2 + u + ν and v2 + v + Φ used for thecomposite fields, respectively.

The composite fields GF (((22)2)2) in polynomial basisuse iterations to construct the S-box. For these com-posite fields, the constants ν ∈ GF (24) and Φ ∈GF (22) are over GF ((22)2)/v2 + v+Φ and GF (22)/x2 +x + 1, respectively. According to [22], after exhaus-tive search for finding the possible choices for ν ∈GF (24) and Φ ∈ GF (22), the following 16 combi-nations are obtained: Φ ∈ {{10}2, {11}2} and ν ∈{{1000}2, {1001}2, {1010}2, {1011}2, {1100}2, {1101}2,{1110}2, {1111}2}. Similarly, for normal basis, it can bederived that the only two acceptable values for Φ areΦ = {10}2 and Φ = {01}2. Furthermore, the following8 values of ν are acceptable: ν ∈ {{0100}2, {0001}2,{1000}2, {0010}2, {0111}2, {1101}2, {1011}2, {1110}2}.

Based on the possible values of ν and Φ in polynomialbasis representation, the (inverse) transformation matri-ces can be constructed using the algorithm presented in[16]. In this algorithm, using an exhaustive search, thetransformation matrix is constructed using eight baseelements in GF (((22)2)2), i.e., 1, ξ, ξ2, . . . , ξ7, to whicheight base elements of GF (28) are mapped. We notethat for each combination of ν and Φ, there exist eightpossible (inverse) transformation matrices. These areconstructed according to the base element ξ and theconjugates of this base element, i.e., ξ2

i

, i = 1, 2, . . . , 7. Inthis section, for each combination of ν and Φ, one of thesepossible matrices is considered. As suggested in [16],we have also used subexpression sharing for obtainingthe low-complexity implementations for these matrices.We note that different (inverse) transformation matricesin normal basis are derived simply by reordering thecolumns.

3.1 Logic-gate Optimizations

The field inversion in GF (24) of the most compactcomposite field in [20] has been modified in [18] to

decrease its hardware complexity. This field uses normalbasis with Φ = {10}2 and ν = {0001}2. Now, weconsider polynomial basis to further optimize the S-boxes using polynomial basis. We present the followinglemma through which the hardware complexity of thecomposite field inversion in GF (24) is decreased. Thisis performed by presenting low-complexity formulationsfor the inversion in GF (24) through logic-gate mini-mization. Moreover, these formulations are implementedusing NAND, NOR, and XOR gates for reducing thecomplexity.

Lemma 1 Let γ = (γ3, γ2, γ1, γ0) be the input and θ =(θ3, θ2, θ1, θ0) be the output of an inverter in GF (24). Then,the formulations for the low-complexity inversion in GF (24)using polynomial basis with Φ = {11}2 are as follows:

θ3 = γ2γ3γ1 + γ3γ0,

θ2 = γ3γ0 ∨ γ2(γ3 ∨ γ1),

θ1 = γ2γ0 ∨ γ3γ1γ0 ∨ γ3γ1γ2, (2)θ0 = γ3 ∨ γ1γ0 ∨ γ2γ0γ1 + γ1(γ2 ∨ γ3γ0).

Moreover, for Φ = {10}2, one reaches the following:

θ3 = γ2γ3γ1 + γ3γ0,

θ2 = γ2γ1 ∨ γ3(γ2 ∨ γ0), (3)θ1 = γ3γ1(γ2 ∨ γ0) ∨ γ2γ0 + γ3 + γ2 + γ1,

θ0 = γ0 ∨ γ2γ3 ∨ γ1γ3γ2 + γ2(γ1 ∨ γ0γ3).

where “+” and “∨” represent the XOR and OR operations,respectively.

Proof: For γ = (γ3, γ2, γ1, γ0) as the input andθ = (θ3, θ2, θ1, θ0) as the output of an inverter in GF (24),the formulations for the inversion in GF (24) using thepolynomial basis with Φ = {11}2 and Φ = {10}2 areobtained as follows, respectively, [16], [22]:

θ3 = γ3γ2γ1 + γ3γ0 + γ2,

θ2 = γ3γ2γ1 + γ3γ2γ0 + γ3γ0 + γ2γ1 + γ3,

θ1 = γ3γ2γ1 + γ3γ1γ0 + γ3γ0 + γ3γ1 + γ2γ0+

γ2γ1 + γ2 + γ1, (4)θ0 = γ3γ2γ1 + γ3γ2γ0 + γ3γ1γ0 + γ2γ1γ0+

γ2γ0 + γ3γ0 + γ2γ1 + γ3 + γ1 + γ0,

θ3 = γ3γ2γ1 + γ3γ0 + γ3 + γ2,

θ2 = γ3γ2γ1 + γ3γ2γ0 + γ3γ0 + γ2γ1 + γ2,

θ1 = γ3γ2γ1 + γ3γ1γ0 + γ2γ0 + γ3 + γ2 + γ1, (5)θ0 = γ3γ2γ1 + γ3γ2γ0 + γ3γ1γ0 + γ2γ1γ0 + γ3γ1+

γ3γ0 + γ2γ1 + γ2 + γ1 + γ0.

One can obtain θ3-θ0 in (2) and (3) from those of (4)and (5), respectively. For performing this, we note thatγi + 1 = γi and γi + γj + γiγj = γi ∨ γj . For instance, weobtain θ3 in (2) from that of (4) as θ3 = γ3γ2γ1 + γ3γ0 +γ2 = γ2(γ3γ1 + 1) + γ3γ0 = γ2γ3γ1 + γ3γ0. Using similarmethods, some of which are also presented in [18], one


5

can obtain (2). As another example, one can obtain θ3in (3) from that of (5) as θ3 = γ3γ2γ1 + γ3γ0 + γ3 + γ2 =γ2(γ3γ1+1)+γ3(γ0+1) = γ2γ3γ1+γ3γ0. By verifying the16 combinations of the input γ, same results are obtainedfor (2) and (4) ((3) and (5)).

In what follows, we evaluate and compare the perfor-mance metrics of different S-boxes. The presented resultsconfirm efficiency increase using (2) and (3).

3.2 Area and Delay Evaluations

In the following, we evaluate and compare the areas,delays, throughputs, and efficiencies of different S-boxes,including the ones presented in [13], [14], [15], [16],[18], [20], [21], [22], [23], and [25]. It is noted that theimplementation in [24] is for the inversion in GF (24)and does not provide the entire S-box architecture.

Using MATLAB R© [41], we have derived the low-complexity transformation and mixed inverse and affinetransformation matrices for the syntheses. We haveused the STM 65-nm CMOS standard technology andCORE65LPSVT standard cell library [35]. This libraryis optimized for using in low-power applications. Thenominal junction temperature is 25 ◦C and VHDL hasbeen used as the design entry to the Synopsys R© DesignVision R© [34]. We note that the presented results are postsynthesis and do not consider the post layout routing.

The results of our syntheses are presented in Table1. As seen in this table, for different S-boxes, the areas(in terms of μm2), critical path delays (in terms ofns), maximum working frequencies (in terms of MHz),throughputs (in terms of Gbps), and efficiencies (in termsof Mbps

μm2 ) have been obtained. According to the STM 65-nm standard cell library information, the lowest andnominal drive strength for the cells is two. It is notedthat the area of a NAND gate in the utilized STM 65-nmCMOS library for the drive strength of two is 2.08μm2.Then, using this area, we have also provided the gateequivalent (GE) measure for different S-boxes in thetable. Note that if we increase the area effort, lower areasare usually achieved mostly at the expense of more delayoverhead.

Memory macros tend to be expensive in hardware forimplementing the S-boxes, resulting in high hardwarecomplexity and power consumption. Therefore, this im-plementation is not considered in this paper. We haveconsidered two different methods of realization of theLUT S-boxes. In these methods, read-only LUTs are usedfor implementing the S-box, see, for instance, [42] andthe hw-lut/hybrid-lut architectures of [19]. This allowsus to logic-optimize the S-box architecture by synthesisof hardware description languages, leading to low-areaimplementations. In the first method (LUT/ROM), theentire S-box is implemented using LUTs. Moreover, weconsider the S-boxes in which only the multiplicativeinversion (MI) in GF (28) is implemented using LUTsand the affine transformation is implemented separately(LUT/ROM-MI). This enables the designers to share the

multiplicative inversion in GF (28) for the S-box and theinverse S-box in the merged structures.

In some of the previous works such as [14], [15],[20], and [21], the area of the S-box has been presentedin terms of gate equivalent (GE). For instance, in [14]and [21], the areas of the implemented S-boxes havebeen provided as 294 GE and 272 GE using 0.11μmand 0.18μm technologies, respectively. Based on theinformation of the cell library in a 0.18μm technology,the gate count of the S-box has been converted to gateequivalent as 180 GE in [20]. We note that althoughFPGA implementations have been performed, the resultspresented in [20] (unlike those in [14], [15], [21], andthis paper) are the direct conversion of the gate count(without synthesis) to GE. In addition, the conversionfactor of 1.75 has been used in [20] for obtaining theGE for XOR/XNOR and MUX21. However, in the celllibrary used in this paper, these conversion factors are2.25 and 2, respectively [35]. Other parameters whichcause different GE results are the type of the synthesistools used and the map effort specified. In this paper, thesynthesis results are obtained using VHDL as the designentry to the Synopsys R© Design Vision R© [34].

Using (2) and (3) of Lemma 1, we have also presentedthe results of the logic-gate optimized S-boxes in Table1. Specifically, we have used (2) and (3) for two mostcompact S-boxes using polynomial basis for Φ = {11}2and Φ = {10}2 in Table 1. It is also noted that foreach of the evaluated performance metrics, the threebest cases among different results for the S-boxes havebeen marked with superscripts 1, 2, and 3. As shown inTable 1, the areas for the composite field S-boxes rangefrom 403.2-589.2 μm2 (difference of 46.1%), the workingfrequencies from 625-900 MHz (difference of 44.0%), thethroughputs from 5.0-7.2 Gbps (difference of 44.0%), andthe efficiencies from 8.6-14.4 Mbps

μm2 (difference of 67.4%).As seen in Table 1, the S-boxes using LUTs (last two

rows) are the fastest S-boxes. However, their efficienciesare not the highest among other S-boxes in Table 1.Among the composite field S-boxes, the one using nor-mal basis presented in [23] is the most compact one (seethe area column in Table 1). However, it has the worstworking frequency and throughput. The S-boxes usingpolynomial basis (optimized using (2)) have the highestfrequency and throughput among the composite field S-boxes. Finally, the highest efficiency (see the last columnin Table 1) is obtained for the one using polynomial basiswith Φ = {11}2 and ν = {1010}2 (optimized using (2)).

3.3 Power Consumptions and Comparisons

In the following, the power consumption results fordifferent S-boxes are presented. We have derived thepower consumptions of the S-boxes within the AESthrough a simulation-based analysis method. In whatfollows, we present the power derivation method as wellas the results of our analysis and comparison.


6

TABLE 1Evaluation of the performance metrics of the S-boxes on ASIC using the STM 65-nm CMOS standard technology.

Structure Specifications Area Delay [Frequency] Throughput EfficiencyΦ ν (μm2) GEa (ns) [MHz] (Gbps) (Mbps

μm2 )

1000 [21], [22]b 525.2 252.5 1.31 [763] 6.1 11.61000 (proposed, using (3)) 518.9 249.4 1.15 [869] 7.0 13.53

1001 537.2 258.2 1.43 [699] 5.6 10.41010 535.6 257.5 1.36 [735] 5.9 11.01011 540.8 260.0 1.43 [699] 5.6 10.3

10 1100 [13], [14], [16]c 540.3 259.7 1.37 [730] 5.8 10.81101 548.6 263.7 1.34 [746] 6.0 10.91110 524.7 252.3 1.40 [714] 5.7 10.9

1110 (proposed, using (3)) 510.23 245.2 1.25 [800] 6.4 12.5Polynomial 1111 535.6 257.5 1.40 [714] 5.7 10.6

basis 1000 528.3 253.9 1.39 [719] 5.8 10.91000 (proposed, using (2)) 516.3 248.2 1.11 [900]3 7.23 13.92

1001 534.6 257.0 1.56 [641] 5.1 9.61010 [22]b 519.0 249.5 1.42 [704] 5.6 10.9

1010 (proposed, using (2)) 498.42 239.6 1.11 [900]3 7.23 14.4111 1011 531.0 255.2 1.45 [690] 5.5 10.4

1100 548.1 263.5 1.49 [671] 5.4 9.81101 546.5 262.7 1.42 [704] 5.6 9.81110 542.8 260.9 1.52 [657] 5.3 9.71111 542.9 261.0 1.52 [657] 5.3 9.7

0001 [20]b 569.4 273.7 1.59 [629] 5.0 8.80001 [20], [18]d 511.7 246.0 1.45 [690] 5.5 10.7

0010 564.2 271.2 1.42 [704] 5.6 10.00100 576.7 277.2 1.57 [637] 5.1 8.8

10 1000 579.3 278.5 1.46 [685] 5.5 9.40111 575.1 276.5 1.56 [641] 5.1 8.91011 589.2 283.2 1.55 [645] 5.2 8.71101 572.0 275.0 1.60 [625] 5.0 8.7

Normal 1110 588.6 282.0 1.57 [637] 5.1 8.6basis 0001 564.2 272.2 1.58 [633] 5.1 9.0

0010 577.2 277.5 1.51 [662] 5.3 9.20100 564.2 271.2 1.59 [629] 5.0 8.9

01 1000 570.9 274.4 1.58 [633] 5.1 8.90111 583.9 280.7 1.49 [671] 5.4 9.21011 572.5 275.2 1.58 [633] 5.1 8.91101 583.9 280.7 1.48 [676] 5.4 9.31110 571.9 274.9 1.59 [629] 5.0 8.8

Normal basis - 0001 [23]e 403.21 193.8 1.64 [610] 4.9 12.1

Polynomial basis - 1110 [15]f 554.3 266.5 1.26 [794] 6.4 11.5Mixed basis [25]g - - 571.1 274.5 1.30 [769] 6.2 10.9

LUT/ROM [42], [19]h - - 1,407.1 676.4 0.60 [1666]1 13.31 9.5LUT/ROM-MI [19]i - - 1,434.6 689.4 0.68 [1470]2 11.82 8.2

1, 2, and 3 are the best cases for each performance metric.

a. Gate equivalent in terms of two-input NAND.b. Among all fields considered, the presented composite field has the least hardware complexities in terms of logic-gate counts.c. These are some works in which this composite field is used.d. The hardware complexity of this composite field, which is obtained in [20] as the most compact one, has been improved in [18].e. This implementation is based on a minimization method resulting in low area at the expense of more timing complexity.f. This architecture is based on the composite field GF ((24)2).g. Has been presented very recently based on mixed polynomial and normal bases and only focuses on decreasing the critical path delay.h. Using synthesized ROM-based LUTs.i. LUTs for the multiplicative inversion (MI) and logic gates for the affine transformation.

3.3.1 Power Derivation Method

We use VHDL as the design entry to the Synopsys R©

Design Vision R©. After obtaining the gate-level netlistsof the S-boxes, timing simulations are performed usingModelSim R© SE 6.2d [36]. The testbench used for timingsimulations covers all the 256 × 255 = 65280 possibletransitions for the 8-bit input of the S-box. This exhaus-tive input pattern assertion includes all the possible tran-

sitions between each two different pairs of the possible256 inputs. Then, for each and every S-box, the results ofthe switching activities of all internal nodes have beenlogged in the VCD (Value Change Dump) files. We haveset the resolution of the timing simulations to high sothat the VCD files contain the switching activities ofglitches (dynamic hazards) occurring in the logic gates.Then, as the final step, the power consumption of the cir-


7

cuit is computed from the VCD logs, gate-level netlists,cell information, and parasitics of the target ASIC library.We have utilized the Synopsys R© PrimeTime R© PX [34]to obtain the average power (including net switchingpower, cell internal power, and cell leakage power),peak and instantaneous power consumption details. Itis noteworthy that the power consumption results arefor the working frequency of 50 MHz and for the highresolutions for both timing and power consumption.

3.3.2 Analysis and ComparisonThe results of our simulation-based power computationsare presented in Table 2. As depicted in this table, fordifferent S-boxes, we have derived the average power(in terms of μW), peak power (in terms of mW), andthe input pattern transition for which the peak powerhappens. As shown in Table 2, the average powers forthe composite field S-boxes range from 44.39-58.96 μW(difference of 32.8%) and the peak powers from 1.013-1.324 mW (difference of 30.7%). We have also marked(with superscripts 1, 2, and 3) the three cases for whichthe lowest power consumptions are achieved.

Comparing the results in Tables 1 and 2 shows thatgenerally and with few exceptions, the S-boxes withmore hardware complexities consume more power. Asseen in Table 2, the highest and lowest average powerconsumptions are achieved for the LUT-based (usingmemories) S-box and the normal basis S-box presentedin [23], respectively. Based on our results in Table 1,these two S-boxes have the highest and lowest hardwarecomplexities, respectively. On the other hand, accordingto the results of Table 1, the normal basis S-box presentedin [23] has the highest timing complexity among thecomposite field S-boxes.

The transitions of the inputs of the S-boxes when thepeak powers occur have been also shown in Table 2. Asshown in this table, most of the peak powers occur whenthe S-box input changes to the all-zero input.

4 HIGH-PERFORMANCE GCM PARALLEL AR-CHITECTURE

In this section, we propose high-performance parallelarchitectures for the GCM. These architectures improvethe throughput and the latency of the structures pre-sented in [31] and [32] for GHASHH . They also removethe need for consecutive GF (2128) multiplications withH for deriving (1). We also derive the hardware imple-mentations of the exponentiations of the hash subkeyto the powers of 2, i.e., in the form of H2j , needingonly XOR gates. Because of the low complexity of theimplementations of these exponents, we take advantageof these low-cost hash subkey powers in the proposedhigh-performance architectures. We utilize the powersin the form of H2j to obtain the other powers of thehash subkey with the least number of GF multiplicationsover GF (2128) for proposed architectures. For instance,we derive H3 = H2 ×H or H6 = H4 ×H2.

TABLE 2Evaluation of the power consumptions of the S-boxes onASIC using the STM 65-nm CMOS standard technology

and the Synopsys R© PrimeTime R© PX [34].

Structure Specification Averagea Peakb

Φ ν (μW) (mW) Transition1000 [21], [22]c 54.99 1.283 78→ 00

1001 55.77 1.184 1C → 001010 54.91 1.165 F4→ 58

10 1011 56.45 1.262 79→ 001100 [13], [14] 55.98 1.283 C0→ 00

, [16]d

1101 56.63 1.324 D5→ 011110 55.28 1.313 B5→ 00

Polynomial 1111 55.87 1.161 C3→ 07basis 1000 54.69 1.1342 27→ 00

1000 (proposed, 54.15 1.188 B8→ 00using (2))

1001 55.44 1.214 54→ 011010 [21]c 54.12 1.1453 71→ 00

1010 (proposed, 53.782 1.229 C9→ 00using (2))

11 1011 54.80 1.218 55→ 001100 55.13 1.178 D7→ 001101 56.51 1.244 BA→ 001110 55.91 1.239 3B → 001111 55.40 1.185 9C → 00

0001 [20]c 58.02 1.268 46→ 000001 [20], [18]e 54.033 1.189 46→ 0A

0010 58.51 1.291 41→ 000100 58.03 1.283 46→ 00

10 1000 58.15 1.290 41→ 000111 58.79 1.299 F2→ 001011 58.35 1.247 91→ 001101 58.81 1.300 73→ 00

Normal 1110 58.96 1.309 91→ 00basis 0001 58.19 1.323 68→ 00

0010 58.07 1.284 92→ 000100 57.90 1.292 68→ 00

01 1000 58.17 1.292 92→ 000111 58.54 1.291 43→ 001011 57.88 1.231 E7→ 001101 58.70 1.282 42→ 001110 58.23 1.246 5B → 00

Normal - 0001 [23]f 44.391 1.0131 27→ 00basis

Polynomial - 1110 [15]g 55.48 1.208 22→ 00basis

Mixed - - 58.06 1.242 46→ 00basis [25]

LUT/ROM - - 63.18 1.337 91→ 00[42], [19]

LUT/ROM-MI - - 66.20 1.344 91→ 00[19]

1, 2, and 3 are the best cases for each performance metric.

a. Includes net switching, cell internal, and cell leakage power.b. Obtained from the instantaneous power values for each case,including the power consumptions for the glitches.c. Among all fields considered, the presented composite field hasthe least hardware complexities in terms of logic-gate counts.d. These are some works in which this composite field is used.e. The power consumption of this composite field, which is obtainedin [20] as the most compact one, has been improved in [18].f. The lowest-power yet the slowest composite field S-box.g. This architecture is based on the composite field GF ((24)2).

4.1 High-Performance GHASHH Function

Algorithm 1 is used for obtaining the key formulationfor the proposed GHASHH function. Although there isno restriction in choosing q, i.e., the number of paralleladder-multipliers, we use q = 2j , 1 ≤ j ≤ �log2(n)�.This leads to lower number of clock cycles and higher


8

Algorithm 1 The proposed high-performance approachfor implementing the GCM.

Inputs: Xp ∈ GF (2128), 1 ≤ p ≤ n, and H2j ∈ GF (2128),0 ≤ j ≤ log2(q).Output: GHASH(X,H)=

∑nj=1 XjH

n−j+1.

1: for i = 1 to q do2: tempi ← Xi

3: for j = 1 to nq − 1 do

4: tempi = (tempi ×Hq ⊕Xi+jq)5: end for6: Let q − i+ 1 = (a0

(i), . . . , alog2(q)(i))2

7: tempi = tempi × (Ha(i)0 q ×H

a(i)1 q

2 × . . .×Ha(i)

log2(q))8: end for9: GHASH(X,H) =

∑qi=1 tempi

10: return GHASH(X,H).

throughput needed for the implementations. In Algo-rithm 1, the output GHASH(X,H) is obtained as follows:

X1 ·Hq × . . .×Hq

︸︷︷︸nq times

⊕X2 ·Hq × . . .×Hq

︸︷︷︸nq−1 times

×Hq−1 ⊕ . . .

⊕Xj ·Hq × . . .×Hq


×Hq−j+1 ⊕ . . .

⊕Xq ·Hq × . . .×Hq


×H ⊕Xq+1 ·Hq × . . .×Hq


⊕Xq+2 ·Hq × . . .×Hq


×Hq−1 ⊕ . . .⊕XnH, (6)

where all operations are performed over GF (2128) con-structed by the irreducible polynomial P (x) = x128 +x7 + x2 + x+ 1 and

⊕comprises 128 XOR gates.

One can re-write (6) so that only the exponentiationsof the hash subkey to the powers of 2 in the form of H2j

are utilized. This method of exponentiation is based onthe binary exponentiation, see, for example, [43]. As seenfrom this algorithm, for the exponentiations Hq−i+1, 1 ≤i ≤ q, one can use the binary representation of q − i+ 1as (a0

(i), . . . , alog2(q)(i))2 .

The hardware implementation of Algorithm 1 hasbeen presented in Fig. 3. For implementing Algorithm 1in hardware, in total, n

q +log2(q) clock cycles are needed.For the first n

q − 1 clock cycles, the GF (2128) multiplica-tions by Hq are performed. This is achieved by a simplecontrol unit selecting Hq . Then, for the next log2(q) clockcycles, the other exponentiations are used. These includethe powers of the hash subkey in the form of H2j and anumber of field elements 1 = (0, 0, ..., 1) ∈ GF (2128) forbypassing the GF (2128) multiplication operations. Wenote that if n is not a multiple of q, one needs to add q−mod (n, q) blocks containing 0 = (0, 0, ..., 0) ∈ GF (2128)to the beginning of the n blocks to make the total blocksprocessed multiple of q. Performing this, the hash com-

putation can be done normally based on the presentedprocedure. Finally, in one clock cycle, the result becomes∑n

j=1 XjHn−j+1. As seen in Fig. 3, q adder-multipliers

are required and multiplexers are also utilized to selectdifferent exponentiations.

To illustrate the proposed scheme, we use the casewith n = 16 and q = 8. In the first clock cycle (j = 1),the outputs of all the multiplexers in Fig. 3 are H8 forthis case. Then, according to the following, the outputsof the multiplexers in the other cycles can be found.

j=3︷︸︸︷

(

j=1︷︸︸︷X1H

8⊕X9)H8

︸︷︷︸j=2

×1×1

︸︷︷︸j=4

⊕

j=3︷︸︸︷

(

j=1︷︸︸︷X2H

8⊕X10)H4

︸︷︷︸j=2

×H2×H

︸︷︷︸j=4

⊕

. . .⊕

j=3︷︸︸︷

(

j=1︷︸︸︷XiH

8⊕Xi+8)H4a

(i)1︸︷︷︸

j=2

×H2a(i)2 ×Ha

(i)3

︸︷︷︸j=4

⊕ (7)

. . .⊕

j=3︷︸︸︷

(

j=1︷︸︸︷X8H

8⊕X16)H︸︷︷︸j=2

×1×1

︸︷︷︸j=4

,

where (a1, a2, a3)2 is the binary representation of q− i+1 = 9−i, 1 ≤ i ≤ 8. Five cycles are required to implement(7); 4 cycles are shown in (7) with j = 1 to j = 4, andthe last one is used for the addition of the results of theregisters R1 −R8 to have the final result in RT .

According to Fig. 3, the working frequency of theproposed scheme is obtained as Tmul+TX (we note thatthis delay is larger than that of the XOR tree). It is notedthat Tmul is the time delay of the used multiplier andTX is the time delay of one set of modulo-2 additionsin the critical path. Furthermore, according to Algorithm1, the number of clock cycles needed for the GHASHH

function is nq + log2(q). Latency and throughput of the

proposed scheme are compared with the ones presentedin [27], [28], [29], [31], and [32] in Table 3. As seen in thistable, the sequential approach has the least throughputwhich leads to low-performance hardware implemen-tations. The throughput of the proposed scheme, i.e.,

128(Tmul+TX)(n

q +log2(q)), is higher than that of the scheme

in [31] and [32], i.e., 128(Tmul+TX)(n

q +q−1) , especially forhigh values of parallel structures, i.e., high values of q.For example, for the case presented in (7), the proposedarchitectures of this paper need n

q + log2(q) = 2 + 3 = 5clock cycles to obtain the result. This can be comparedwith the linear relation of the scheme in [31] and [32]with q, leading to n

q + q − 1 = 2 + 8− 1 = 9 clock cyclesneeded. The complete comparison in terms of hardware


9

R1

1qjX

R2 R3 R4

Hq

RT

Rq-1

( 1) 1q jX

Rq

( 1)q jX

2qjX 3qj

X 4qjX

128

128128128128128128

128 128 128 128 128 128

Hq

Hq/2

HH

2

Hq

Hq/2

1H

Hq

H2

1

Hq

H11

Hq

1H

2

Hq/2

128-bit XOR tree

128128128

Fig. 3. The hardware architecture of the proposed high-performance GCM GHASHH function.

TABLE 3Performance analysis and comparison of GHASHH

within the GCM for n blocks and q parallel structures.

Approach Latency ThroughputSequential

[27], [28], [29] n 128(Tmul+TX )n

[31], [32] nq+ q − 1 128

(Tmul+TX )(nq+q−1)

Proposed nq+ log2(q)

128(Tmul+TX )(n

q+log2(q))

and timing complexities of the proposed architectureswith the previous ones is presented in Section 5 usingASIC syntheses.

4.2 High-Speed Structures for Hash Subkey Powers

In the following, using squaring operations, we presentthree methods for implementing the hash subkey expo-nentiations. Using a complexity reduction algorithm, wealso derive their hardware-optimized architectures.

According to [5], it is less likely that the GCM isinvoked with the same key on distinct sets of inputdata. Thus, a new hash subkey and its powers needto be obtained in each invocation. It is known that thesquaring operation in binary extension fields leads to alinear structure, see, for example, [44]. In other words,implementing squaring in hardware is less costly thanGF (2128) multiplications. The squaring of a field elementover GF (2128) in the GCM uses the irreducible polyno-mial P (x) = x128+x7+x2+x+1. Utilizing P (x), we haveobtained the formulations for the squaring after per-forming modular reduction. It is noted that MATLAB R©

[41] has been utilized to verify the formulations usedfor squaring. For the GCM, the critical path delay ofsquaring is obtained as 3TX , where TX is the XOR gatedelay. Moreover, it requires 202 XOR gates.

To implement H2j , 2 ≤ j ≤ �log2(q)�, one can cascadej squaring architectures or use a feedback for derivingthem. We refrain using the feedback structure becauseof its low throughput and high latency. According to thehardware and timing complexities of squaring derivedin this section, for H2j , the cascade structure yields

h0h1 0000 0 h31d

e1

h32h63

h32h63

h32

h32h62

0

0000

00

h32h330h63 0 0

e2

h64h650h95

e3

h96h970h127

0 00

0

0 00

000

00

0h63

h64h95 00 0h64h95 00 0

h64

h92

00h64

h95h95h9500 00h95

h33

h33

h33

h65

00

h63h630 00h63 h630

h93

0 h93

0 h93

h93

00

00

Mod P(x)

0 0

0

Fig. 4. The derivation of H4 of the GCM hash subkey.

to the hardware and timing complexities of 202j XORgates and 3j TX , respectively. This leads to low-speedimplementations which are not desirable in applicationsrequiring high performance. It is possible to reduce thedelay of the implementations of these exponentiationsfor the high-performance hardware implementations. Toachieve this, we do not cascade the squaring implemen-tations. Instead, we find the squaring exponentiationsseparately so that their derivations become in parallel.This reduces the critical path delay of the realizations.We present the following lemma for obtaining the expo-nentiations of the hash subkey within the GCM.

Lemma 2 The squaring exponentiations of the hash subkey,i.e., H2j , 2 ≤ j ≤ �log2(q)�, are obtained using the following.

H2j mod P (x) = d+2j−1∑i=1

ei, (8)

where, d and ei, 1 ≤ i ≤ 2j−1, are field elements in GF (2128)defined as follows

d =

128

2j−1∑

s=0

hsx2j×s, ei = (

128(i+1)

2j−1∑

s= 128i

2j

hsx2j×s) mod P (x)

Proof: Let H =∑127

s=0 hsxs ∈ GF (2128) be

the hash subkey of the GHASH function. Then,we have H2j = (

∑127s=0 hsx

2j×s) mod P (x) =∑ 128

2j−1

s=0 hsx2j×s + (

∑127s= 128

2jhsx

2j×s mod P (x)) = d +

(∑2j−1

i=1

∑ 128(i+1)

2j−1

s= 128i

2j

hsx2j×s) mod P (x) = d +

∑2j−1i=1 ei

and the proof is complete.For clarifying the method, we present the structure for

deriving H4 in Fig. 4. We obtain the polynomials d ande1-e3 in (8) as: d = h31x

124 + h30x120 + . . . + h0, e1 =

h63x252+h62x

248+ . . .+h32x128, e2 = h95x

380+h94x376+

. . .+h64x256, and e3 = h127x

508+h126x504+ . . .+h96x

384.As seen in this figure, the coefficients of d are added withthe reduced coefficients of e1-e3 using P (x).

The complexity reduction techniques use differentmethods for decreasing the number of gates needed in


10

(.)2

(.)2 (.)4 (.)8

(.)2

(.)2

(.)2

(.)2

(.)8

H2

H4

H8

H2

H4

H8

H4

H2

H8

H H HH

H

H

(a) (b) (c)

Fig. 5. (a) Cascade, (b) parallel, and (c) hybrid realizationmethods for the hash subkey exponentiations.

the implementations, see, for example, the ones in [45]and [46]. Because it is not guaranteed that the delay ofthe method in [45] is maintained, we have implementedthe complexity reduction algorithm presented in [46]using a C code. In our program, the procedure suggestedin [46] (to find the shared XOR terms) has been utilizedfor the case study of q = 8, which requires implementingH2, H4 and H8. It is noted that through the employedtechnique, we reach low hardware complexities withoutchanging the critical path delays.

We have performed three experiments for implement-ing H2, H4 and H8. These are shown in Fig. 5. As seenin Fig. 5a, in the cascade method, three identical squar-ing architectures are used consecutively. This methodhas the lowest hardware complexity and the highesttiming complexity. In Fig. 5b, the parallel method ofimplementation of the hash subkey exponentiations isutilized. Compared to the other methods, this methodhas the lowest critical path delay while its hardwarecomplexity is the highest. On the other hand, in thehybrid method which is shown in Fig. 5c, a compromisebetween hardware and timing complexities is achieved.

The timing and hardware complexities of these meth-ods and the results of the complexity reduction tech-nique utilized for them are depicted in Table 4. In thistable, for three methods presented in Fig. 5, the hardwarecomplexities before and after complexity reduction arederived. The timing complexity is remained unchangedafter applying the complexity reductions. As seen inTable 4 in bold face, the least hardware complexity isachieved for the cascade method after the complexityreduction, i.e., 594 XOR gates. However, the timingcomplexity of this method is the highest among the threemethods as depicted in this table. On the other hand, thetiming complexity of the parallel method is the lowest,i.e., 5TX . As shown in Table 4, this is at the expense ofhigher hardware complexity which is 1099 XOR gatesafter about 45% complexity reduction.

4.3 GF (2128) Multipliers for the GCMDifferent types of GF (2128) multipliers are utilized inthe literature for implementing the GF (2128) multipli-cations in (1). In [27], [31], and [32], the multiplicationshave been performed using bit-parallel, digit-serial, andhybrid multipliers in composite fields. Furthermore, in[28] and [47], the efficiency of different multipliers, in-cluding the sub-quadratic ones, are compared. Moreover,in [48] a high-speed AES-GCM core has been presented.It is noted that the considered GF (2128) multipliersin these works include the Mastrovito multiplier [49]with quadratic space complexity, the Karatsuba-Ofmanmultiplier [50] and the GF (2128) multiplier in [51].

We have considered the bit-parallel GF (2128) multi-plier presented in [52] which has quadratic hardwarecomplexity. It is noted that this GF (2128) multiplier haslower timing complexity compared to the sub-quadratichardware complexity GF (2128) multipliers. However, wenote that according to the latency of the proposed archi-tectures, i.e., n

q + log2(q), increasing the number of par-allel structures (q) results in having higher throughputs.On the other hand, having higher values for q increasesthe hardware complexities of GHASHH . Therefore, forreducing the hardware complexity, using sub-quadratichardware complexity GF (2128) multipliers is beneficialwhen high values of q are utilized.

For reducing the hardware complexity of the AES-GCM, we have also used the efficient realization ofthe Karatsuba-Ofman multiplier presented in [53] as thesub-quadratic hardware complexity GF (2128) multiplier.It is noted that the gate count of different steps forone Karatsuba-Ofman multiplier has been presented in[53]. Based on our technology hardware and timingspecifications, we have presented the performance of theGF (2128) multipliers in Table 5. As shown in this table,six different steps for the Karatsuba-Ofman multipliersare considered. We denote these realizations by KO1

(for the case that only one step is performed) to KO6

(for which the 128-bit GF (2128) multiplier is broken allthe way to 2-bit multiplications using Karatsuba-Ofmanmethod). Applying the Karatsuba-Ofman method recur-sively to obtain KOi, 2 ≤ i ≤ 6 for the GCM wouldresult in low-area implementations with higher timingcomplexities. As seen from this table, although the sub-quadratic multiplier KO5 is the most compact imple-mentation, the sub-quadratic multiplier KO4 reachesthe best efficiency. In the next section, we present thesynthesis results of these sub-quadratic multipliers forour proposed architectures. We also compare the powerconsumptions and the efficiencies of different methodsfor realizing these multipliers.

5 AES-GCM PERFORMANCE COMPARISONS

In this section, first different AES architectures are pre-sented and then we present and compare the ASICsynthesis results of the proposed and the previouslypresented architectures for the AES-GCM function.


11

TABLE 4Complexities of the realizations of the hash subkey exponentiations for q = 8 parallel architectures for GHASHH .

Method Hardware Complexity Hardware Complexity Complexity reduction Timing Complexityafter complexity reduction (%)

Cascade (Fig. 5a) 606 XORs 594 XORs ≈ 2% 9TX

Parallel (Fig. 5b) 1986 XORs 1099 XORs ≈ 45% 5TX

Hybrid (Fig. 5c) 1627 XORs 1062 XORs ≈ 35% 6TX

...

...

...

...

...

... ...

...

GCTR

GHASH

AES

128

AAD E

Mask

Fig. 7. The proposed AES-GCM high-performance architecture for q = 8 (mod(n, q) = 0).

TABLE 5Hardware and timing complexities analysis of the utilized

bit-parallel multipliers for the GCM.

Multiplier GEa Delay Efficiencyb

Complexity Type (103 × ThroughputGE

)Quad. [52] - 56,957 TA + 10TX 0.21/TX

KO1 44,338 TA + 12TX 0.23/TX

KO2 34,660 TA + 14TX 0.25/TX

Sub-quad. KO3 28,195 TA + 16TX 0.27/TX

[53] KO4 24,517 TA + 18TX 0.28/TX

KO5 23,443 TA + 20TX 0.27/TX

KO6 24,961 TA + 21TX 0.24/TX

a. Gate equivalent in terms of two-input NAND.b. Considering TX = 1.99TA according to the utilized technology.

We have presented different AES-128 architectures inFig. 6. As seen in the AES simple loop structure (Fig.6a), the AES rounds are executed serially (in the lastround MixColumns is bypassed). This architecture is

AES Round

128

(a) Simple loop

Round 1

(b) Unrolled pipelined

Round 2

Round 10

...

128

128

Round 1

(c) Unrolled sub-pipelined

Round 2

Round 10

...

128

128

pipeline

stages ......

...

sub-pipeline

stages

Fig. 6. The AES-128 structure for (a) simple loop, (b)unrolled pipelined, and (c) unrolled sub-pipelined archi-tectures (MixColumns is bypassed in the last round).

the most compact AES architecture and has been usedin the literature, see, for instance, [14]. However, itsuffers from low throughput. In Fig. 6b, the AES unrolledpipelined structure is shown in which the pipeline stages


12

TABLE 6The proposed architecture for the AES-GCM.

AES GCM (Proposed using Algorithm 1)(Unrolled pipelined) Exponents Multiplier

PB S-box (Φ = {11}2, Complexity-reduced Quad. and sixν = {1010}2) parallel method sub-quad. (KO1

optimized using (2) (Table 4 and Fig. 5b) -KO6) in Table 5

are shown by dotted lines (see, for instance, [40]). Asseen in this figure, 10 AES rounds are duplicated, withthe last round without the MixColumns transformation.Although this architecture needs 10 AES rounds to beimplemented, it allows the designers to use pipelin-ing and hence process multiple inputs sequentially forachieving high throughput. For further increasing thethroughput, sub-pipelining of the AES transformationscan be used as depicted in Fig. 6c.

Sub-pipelining is useful in increasing the frequencyof the AES at the expense of more area used for thepipeline registers, however, it increases the latency. Forinstance, the latency of a 3-stage sub-pipelined AES is 3times more than that of the unrolled pipelined. We alsonote that if the critical path delay is determined by themultipliers in the GCM architecture, sub-pipelining ofthe AES transformations cannot increase the frequency.Although both pipelined and sub-pipelined AES archi-tectures can be utilized, in this paper, for the synthesesand comparisons, we use pipelined AES architecturepresented in Fig. 6b. Moreover, for analyzing the effectof sub-pipelining, we have used sub-pipelined AES fortwo AES-GCM architectures. The details of our imple-mentations are presented in this section.

According to Table 6, we use the most efficient S-box presented in Table 1, i.e., the one using polynomialbasis (PB) based on (2), to reach the AES-GCM withthe highest performance. The AES-128 encryption isconsidered as the block cipher for the GCM (refer toFig. 2) and as indicated in Table 6, the 10 rounds ofthe AES-128 are unrolled and pipelined. Moreover, asseen in Table 6, we use the proposed Algorithm 1 for theGCM and utilize the parallel method in Fig. 5b for hashsubkey exponentiations (hardware optimized throughcomplexity reduction methods in the previous section).Finally, As seen in this table, we use both quadratic andsub-quadratic multipliers presented in Table 5.

Fig. 7 presents the proposed architecture for the AES-GCM for q = 8 parallel structures. The AES-128 pipelineregisters are shown by dashed lines in Fig. 7. As seen inthis figure, 10 clock cycles are needed for obtaining theciphertext. After these first 10 clock cycles, the resultsare obtained after each clock cycle. According to Fig. 7,8 parallel AES-128 structures are implemented as part ofGCTRK to provide inputs to GHASHH . As seen in thisfigure, the function GCTRK performs the AES countermode with the Initial Counter Block (ICB) and its one-increments (CBi). Moreover, q = 8 increments (usingINC 8 module) and the plaintext blocks (Pi) are used

as the inputs. It is assumed that the data is encryptedand the IV in the GCM is 96 bits which is recommendedfor high throughput implementations [5].

The architecture shown in Fig. 7 assumes that thenumber of blocks n is a multiple of the number of paral-lel structures q and there is no additional authenticateddata (AAD). In case that n is not a multiple of q, onecan append q −mod (n, q) zero blocks at the beginningof the blocks for which hash is computed. This is doneby adding a masking gate along the dotted line as shownin Fig. 7. Moreover, in this case, the counter blocks andaccordingly Pis in Fig. 7 start from the q−mod (n, q)+1column, i.e., the first actual input block. This is similarto the method used in [32]. We also note that in caseAAD is present, additional multiplexers are placed atthe output of the GCTR block in Fig. 7 along the dottedline so that instead of encrypted data, the AAD is fed tothe architecture. Such a scheme which is similar to theone presented in [32], also needs more flexibility in thecounter blocks and accordingly Pis so that only when theAAD is done, the counter blocks provide the encrypteddata. Finally, in Fig. 7 and as the last processed block,the output of the GCTR block in the rightmost columnis masked and LA,C (number for n) is fed (using an extramultiplexer which is not shown in Fig. 7 for the sake ofbrevity). AESK(J0) and H = AESK(0) (see Fig. 2) canbe also obtained or pre-computed in Fig. 7 (similar to[32]), the details of which are not presented in Fig. 7.

The results of our syntheses for the AES-GCM usingthe STM 65-nm CMOS technology [35] are presented inTable 7. The architectures have been coded in VHDL asthe design entry to the Synopsys R© Design Vision R© [34].The proposed architectures in this paper and the onesin [27], [28], [29], [31] and [32] have been synthesized.The syntheses are based on the case for q = 8 paralleladdition-multiplications using the bit-parallel GF (2128)multiplier presented in [52] which has quadratic hard-ware complexity. For achieving low hardware com-plexity for the AES-GCM, we have also synthesizedsix different steps for the Karatsuba-Ofman multipliers.As seen in Table 7, areas, power consumptions, andmaximum working frequencies are tabulated. From thediscussions in Section 4, for n input blocks and q parallelstructures, the latency for the architecture in [27], [28],and [29] is n, for the one in [31] and [32] is n

q +q−1, andfor our proposed architectures is n

q + log2(q). Accordingto these, for different architectures presented in Table 7,throughputs and efficiencies are also presented.

As presented in Table 7, the sequential approach in[27], [28], and [29] has the lowest hardware complexitycompared to other approaches. However, it has theleast throughput leading to low-performance hardwareimplementations. As depicted in Table 7, lower areas andpower consumptions are achieved for the sub-quadratichardware complexity GF (2128) multipliers used in ourproposed architectures compared to the one in [52]. Asseen in this table, the maximum working frequency isdecreased as we increase the number of multiplication


13

steps. However, this trend is not observed for the hard-ware complexity, i.e., it is decreased up to KO5 as theoptimum value and then rises for KO6.

The highest throughput is achieved for the pro-posed architectures in this paper, i.e., 82.0

n8 +3 Gbps using

quadratic and KO1/KO2 sub-quadratic multipliers. Asseen in Table 7, the highest efficiency is derived forKO4, i.e., 59.8

n8 +3

Gbpsmm2 . As seen in this table, the work-

ing frequencies and throughputs for KO1 and KO2 aresimilar. We have observed that this is because for thesetwo multipliers, the critical path delay is dominated bythe AES rounds and not the sub-quadratic multiplier.Inner-round pipelining can be performed to increase theworking frequencies of the implementations. Neverthe-less, this sub-pipelining increases the area and latencyof the AES-GCM architectures. We have performed ex-periments by sub-pipelining the AES rounds for thearchitectures using KO1 and KO2 multipliers. This isachieved by adding one pipeline stage after ShiftRowsand right before MixColumns. The results of our ex-periments show no major difference in the maximumworking frequency of the design utilizing KO2 multiplierand increase in its hardware complexity. However, forthe architectures using KO1 multipliers, the working fre-quency of 689 MHz with the increased area of 1.70 mm2

is achieved. Therefore, for this architecture which usesKO1 multipliers, the best speed is obtained compared tothe results in Table 7. However, its efficiency is obtainedas 51.9

n8 +3

Gbpsmm2 which is less than that of the architectures

with KO4 multipliers (see Table 7).For comparing the efficiencies of the schemes pre-

sented in Table 7, we have presented Fig. 8. Based onthe derived values for efficiencies in the last column ofTable 7, two different graphs for two values of n arepresented in Fig. 8. We consider two different values ofn, i.e., n1 = 232 − 2 (the largest encrypted message sizeallowed) and n2 = 210. It is noted that considering thenormalized efficiency (%) of the scheme in [31], [32] as100, the relative efficiencies for different architectures arepresented in this figure. As seen in Fig. 8, for n1 = 232−2and n2 = 210, KO4 has the highest efficiencies (51% and44% more than the sequential method, respectively).

6 CONCLUSIONS

In this paper, we have obtained optimized buildingblocks for the AES-GCM to propose efficient and high-performance architectures. For the AES, through logic-gate minimizations for the inversion in GF (24), theareas of the S-boxes have been reduced. We have alsoevaluated and compared the performance of differentS-boxes using an ASIC 65-nm CMOS technology. Fur-thermore, through exhaustive searches for the inputpatterns, we have performed simulation-based powerderivations for different S-boxes to reach more accurateresults compared to the statistical methods. We have alsoproposed high-performance and efficient architectures

TABLE 7ASIC synthesis comparisons of the AES-GCM.

Schemea Total Area [AES]b Power Freq. Thro. Eff.(mm2) K-GEc (mW) (MHz) (Gbps) ( Gbps

mm2 )

[27], [28], 0.23 110[29] [0.12] [57] 19.6 568 72.7

n316.0

n

1.86 894[31], [32]d [1.02] [490] 144.3 568 72.7

n8

+739.1n8

+7

Proposed 1.82 875(quad.)e [0.92] [442] 142.5 641 82.0

n8

+345.1n8

+3

Proposed 1.62 779(KO1)e [0.92] [442] 124.6 641 82.0

n8

+350.6n8

+3

Proposed 1.46 702(KO2)e [0.92] [442] 113.0 641 82.0

n8

+356.2n8

+3

Proposed 1.34 644(KO3)e [0.92] [442] 104.8 621 79.4

n8

+359.3n8

+3

Proposed 1.31 630(KO4)e [0.92] [442] 101.2 613 78.4

n8

+359.8n8

+3

Proposed 1.30 625(KO5)e [0.92] [442] 102.0 595 76.1

n8

+358.5n8

+3

Proposed 1.33 639(KO6)e [0.92] [442] 105.2 578 73.9

n8

+355.6n8

+3

a. For the case of q = 8 parallel structures.b. The area of the AES is shown inside brackets.c. 103 gate equivalent in terms of two-input NAND.d. The least complexity scheme in [31] and [32] has been synthesized.e. The quad./sub-quad. multipliers used in the AES-GCM.

Fig. 8. Comparison of the efficiencies of nine differentAES-GCM architectures for n1 = 232 − 2 and n2 = 210.

for the GCM. For the case study of q = 8 parallel struc-tures in GHASHH , we have performed a hardware com-plexity reduction technique for the hash subkey expo-nentiations, having their timing complexities intact. TheASIC comparison results show that better efficiencies areachieved for the proposed architectures. Based on theavailable resources and performance goals to achieve,one can choose the proposed AES-GCM architectures tofulfill the constraints of different applications.

ACKNOWLEDGMENTS

The authors would like to thank the reviewers for theircomments. This work has been supported in part byan NSERC Discovery grant awarded to Arash Reyhani-Masoleh. The authors would like to thank Canadian


14

Microelectronics Corporation (CMC) Microsystems forproviding the required infrastructure and CAD tools thathave been used in this work. The authors would alsolike to thank Christopher Kennedy who assisted in oursoftware implementation of the complexity reductionalgorithm for hash subkey exponentiations.

REFERENCES[1] National Institute of Standards and Technologies, “Announcing

the Advanced Encryption Standard (AES),” Federal InformationProcessing Standards Publication, no. 197, Nov. 2001.

[2] Wi-Fi, http://standards.ieee.org/getieee802/download/802.11-2007.pdf.

[3] WiMAX, http://standards.ieee.org/getieee802/download/802.16e-2005.pdf.

[4] S. Trimberger, “Security in SRAM FPGAs,” IEEE Design and Testof Computers, vol. 24, no. 6, pp. 581, Nov. 2007.

[5] M. Dworkin, “Recommendation for Block Cipher Modes of Oper-ation: Galois/Counter Mode (GCM) and GMAC,” NIST SP 800-38D, 2007.

[6] IEEE Standard for Local and Metropolitan Area Networks, MediaAccess Control (MAC) Security, 2006.

[7] Fibre Channel Security Protocols (FC-SP), 2006. Available:http://www.t10.org/ftp/t11/document.06/06-157v0.pdf.

[8] Algotronics Ltd.: GCM Extension for AES G3 Core, 2007.[9] Helion Technology: AES-GCM Cores, 2007.[10] Elliptic Semiconductor Inc.: CLP-15: Ultra-High Throughput AES-

GCM Core-40 Gbps, 2008.[11] E. Kasper and P. Schwabe, “Faster and Timing-Attack Resistant

AES-GCM,” In Proc. of CHES 2009, LNCS 5747, pp. 1-17, 2009.[12] K. Jankowski and P. Laurent, “Packed AES-GCM Algorithm Suit-

able for AES/PCLMULQDQ Instructions,” IEEE Trans. Computers,vol. 60, no. 1, pp. 135-138, Jan. 2011.

[13] S. Morioka and A. Satoh, “An Optimized S-Box Circuit Architec-ture for Low Power AES Design,” In Proc. of CHES 2002, LNCS2523, Springer, pp. 172-186, August 2002.

[14] A. Satoh, S. Morioka, K. Takano, and S. Munetoh, “A CompactRijndael Hardware Architecture with S-Box Optimization,” InProc. of ASIACRYPT 2001, LNCS 2248, pp. 239-254, Dec. 2001.

[15] J. Wolkerstorfer, E. Oswald, and M. Lamberger, “An ASIC Imple-mentation of the AES SBoxes,” In Proc. of CT-RSA 2002, pp. 67-78,Jan. 2002.

[16] X. Zhang and K. K. Parhi, “High-Speed VLSI Architectures forthe AES Algorithm,” IEEE Trans. VLSI Systems, vol. 12, no. 9, pp.957-967, Sep. 2004.

[17] T. Good and M. Benaissa, “692-nW Advanced Encryption Stan-dard (AES) on a 0.13-μm CMOS,” IEEE Trans. VLSI Systems, vol.18, no. 12, pp. 1753-1757, Dec. 2010.

[18] M. Mozaffari-Kermani and A. Reyhani-Masoleh, “A Low-Cost S-box for the Advanced Encryption Standard Using Normal Basis,”In Proc. of EIT 2009, pp. 52-55, 2009.

[19] S. Tillich, M. Feldhofer, T. Popp, and J. Großschadl, “Area, Delay,and Power Characteristics of Standard-Cell Implementations ofthe AES S-Box,” J. Sign. Process Syst, vol. 50, pp. 251-261, 2008.

[20] D. Canright, “A Very Compact S-Box for AES,” In Proc. of CHES2005, LNCS 3659, Springer, pp. 441-455, Sep. 2005.

[21] N. Mentens, L. Batina, B. Preneel, and I. Verbauwhede, “A Sys-tematic Evaluation of Compact Hardware Implementations forthe Rijndael S-Box,” In Proc. of CT-RSA 2005, pp. 323-333, 2005.

[22] X. Zhang and K. K. Parhi, “On the Optimum Constructions ofComposite Field for the AES Algorithm,” IEEE Trans. Circuits andSystems II: Express Briefs, vol. 53, no. 10, pp. 1153-1157, Oct. 2006.

[23] J. Boyar and R. Peralta, “A New Combinational Logic Minimiza-tion Technique with Applications to Cryptology,” In Proc. of SEA2010, pp. 178-189, 2010.

[24] S. Nikova, V. Rijmen, and M. Schlaffer, “Using Normal Bases forCompact Hardware Implementations of the AES S-Box,” In Proc.of the SCN 2008, LNCS 5229, Springer, pp. 236-245, 2008.

[25] Y. Nogami, K. Nekado, T. Toyota, N. Hongo, and Y. Morikawa,“Mixed Bases for Efficienct Inversion in F((22)2)2 and ConversionMatrices of SubBytes of AES,” In Proc. of CHES 2010, LNCS 6225,Springer, pp. 234-247, August 2010.

[26] D. Canright and D.A. Osvik, “A More Compact AES,” In Proc. ofSAC 2009, LNCS 5867, pp. 157-169, 2009.

[27] S. Lemsitzer, J. Wolkerstorfer, N. Felbert, and M. Braendli, “Multi-gigabit GCM-AES Architecture Optimized for FPGAs,” In Proc. ofCHES 2007, LNCS, vol. 4727, pp. 227-238, 2007.

[28] P. Patel, “Parallel Multiplier Designs for the Galois/CounterMode of Operation,” Master of Applied Science Thesis, TheUniversity of Waterloo, 2008.

[29] B. Yang, S. Mishra, and R. Karri, “High Speed Architecture forGalois/Counter Mode of Operation (GCM),” Cryptology ePrintArchive: Report 2005/146, June 2005.

[30] D. A. McGrew and J. Viega, “The Galois/counter Mode of Oper-ation (GCM),” 2005.

[31] A. Satoh, “High-speed Parallel Hardware Architecture for GaloisCounter Mode,” In Proc. of ISCAS, pp. 1863-1866, 2007.

[32] A. Satoh, T. Sugawara, and T. Aoki, “High-Performance HardwareArchitectures for Galois Counter Mode,” IEEE Trans. Computers,vol. 58, no. 7, pp. 917-930, 2009.

[33] N. Meloni, C. Negre, and M. A. Hasan, “High PerformanceGHASH Function for Long Messages,” In Proc. of ACNS 2010,pp. 154-167, 2010.

[34] Synopsys, http://www.synopsys.com/[35] STMicroelectronics, http://www.st.com/[36] ModelSim, http://www.model.com/[37] M. McLoone and J.V. McCanny, “High Performance Single-chip

FPGA Rijndael Algorithm Implementations,” In Proc. of CHES2001, LNCS 2162, pp. 65-76, 2001.

[38] F. X. Standaert, G. Rouvroy, J. J. Quisquater, and J. D. Legat, “Ef-ficient Implementation of Rijndael Encryption in ReconfigurableHardware: Improvements and Design Tradeoffs,” In Proc. of CHES2003, LNCS 2779, Springer, pp. 334-350, Sep. 2003.

[39] P. Bulens, F.-X. Standaert, J.-J. Quisquater, P. Pellegrin, and G.Rouvroy, “Implementation of the AES-128 on Virtex-5 FPGAs,”In Proc. of AFRICACRYPT 2008, LNCS 5023, pp. 16-26, 2008.

[40] A. Hodjat and I. Verbauwhede, “Area-Throughput Trade-Offs forFully Pipelined 30 to 70 Gbits/s AES Processors,” IEEE Trans.Computers, vol. 55, no. 4, pp. 366-372, April 2006.

[41] Mathworks, http://www.mathworks.com/[42] S.-Y. Lin and C.-T. Huang, “A High-Throughput Low-Power AES

Cipher for Network Applications,” In Proc. of ASP-DAC 2007, pp.595-600, 2007.

[43] D. E. Knuth, The Art of Computer Programming, vol. 2, “Semi-numerical Algorithms,” pp. 441-466, Addison-Wesley, 1981.

[44] R. Lidl and H. Niederreiter, “Introduction to Finite Fields andTheir Applications,” Cambridge Univ. Press, 1994.

[45] O. Gustafsson and M. Olofsson, “Complexity Reduction of Con-stant Matrix Computations over the Binary Field,” In Proc. ofWAIFI 2007, pp. 103-115, 2007.

[46] H. Yi, J. Song, S. Park and C. Park, “Parallel CRC Logic Optimiza-tion Algorithm for High Speed Communication Systems,” In Proc.of ICCS 2006, pp. 1-5, 2006.

[47] G. Zhou, H. Michalik, and L. Hinsenkamp, “Improving Through-put of AES-GCM with Pipelined Karatsuba Multipliers on FP-GAs,” In Proc. of ARC 2009, LNCS 5453, pp. 193-203, 2009.

[48] J. Lazaro, A. Astarloa, U. Bidarte, J. Jimenez, and A. Zuloaga,“AES-Galois Counter Mode Encryption/Decryption FPGA Corefor Industrial and Residential Gigabit Ethernet Communications,”In Proc. of ARC 2009, LNCS 5453, pp. 312-317, 2009.

[49] E. D. Mastrovito, “VLSI Architectures for Computation in GaloisFields,” Ph.D. Thesis, Linkoping University, 1991.

[50] A. Karatsuba and Y. Ofman, “Multiplication of Multidigit Num-bers on Automata,” Soviet Physics Doklady, vol. 7, pp. 595, 1963.

[51] H. Fan and M. A. Hasan, “A New Approach to SubquadraticSpace Complexity Parallel Multipliers for Extended BinaryFields,” IEEE Trans. Computers, vol. 56, no. 2, pp. 224-233, 2007.

[52] A. Reyhani-Masoleh and M. A. Hasan, “Low Complexity BitParallel Architectures for Polynomial Basis Multiplication overGF (2m),” IEEE Trans. Computers, vol. 53, no. 8, pp. 945-959, 2004.

[53] G. Zhou, H. Michalik, and L. Hinsenkamp, “Complexity Analysisand Efficient Implementations of Bit Parallel Finite Field Multi-pliers Based on Karatsuba-Ofman Algorithm on FPGAs,” IEEETrans. VLSI Systems, vol. 18, no. 7, pp. 1057-1066, 2010.


15

Mehran Mozaffari-Kermani received the B.Sc.degree in electrical and computer engineeringfrom the University of Tehran in 2005, and theM.E.Sc. and Ph.D. degrees from the Depart-ment of Electrical and Computer Engineeringat The University of Western Ontario in 2007and 2011, respectively. He was awarded a Nat-ural Sciences and Engineering Research Coun-cil of Canada (NSERC) Postdoctoral Fellowshipin 2011. Currently, he is working at AdvancedMicro Devices (AMD) as a Senior ASIC/Layout

Design Engineer. His current research interests include secure cryp-tographic systems, fault diagnosis and tolerance, VLSI reliability, andcomputer arithmetic. He is a member of the IEEE.

Arash Reyhani-Masoleh received the BSc. de-gree in electrical and electronic engineering fromIran University of Science and Technology in1989, the MSc. degree in electrical and elec-tronic engineering from the University of Tehranin 1991, both with the first rank, and the Ph.D.degree in electrical and computer engineeringfrom the University of Waterloo in 2001.

From 1991 to 1997, he was with the Depart-ment of Electrical Engineering, Iran Universityof Science and Technology. From June 2001 to

September 2004, he was with the Centre for Applied CryptographicResearch, University of Waterloo, where he was awarded a NaturalSciences and Engineering Research Council of Canada (NSERC) Post-doctoral Fellowship in 2002. In October 2004, he joined the Departmentof Electrical and Computer Engineering, University of Western Ontario,London, Canada, where he is currently a tenured associate professor.His current research interests include algorithms and VLSI architecturesfor computations in finite fields, fault-tolerant computing, and error-control coding.

Dr. Reyhani-Masoleh has been awarded a NSERC Discovery Accel-erator Supplement (DAS) in 2010. Currently, he serves as an associateeditor for Integration, the VLSI Journal (Elsevier). He is a member of theIEEE and the IEEE Computer Society.


Documents

AES-GCM