IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 70, NO.
10, OCTOBER 2023
Area-Efficient Intellectual Property (IP) Design
of Advanced Encryption Standard
Useok Lee , Graduate Student Member, IEEE, Ho Keun Kim , Graduate Student Member, IEEE,
Jeahack Lee , Member, IEEE, and Myung Hoon Sunwoo , Fellow, IEEE
Abstract—This brief proposes an area-efficient AES design
approach considering both application-specific integrated circuits
(ASIC) and field-programmable gate arrays (FPGA) implemen-
tation characteristics. This brief focuses on optimizing and
analyzing the design approach of Subbytes and MixColumns,
which take up the most significant portion of AES hardware
area. Furthermore, this brief presents an area-efficient AES
intellectual property (IP) design by analyzing the trade-off rela-
tionship between area and clock cycles based on the datapath
variations. The proposed AES IPs were designed using Verilog
HDL and synthesized using Samsung 28nm standard cell library
for performance comparison. The proposed AES IPs show the
advanced normalized area efficiency of 70% over the existing
AES design with the same datapath. Furthermore, the Xilinx
UltraScale+ KCU116 evaluation board (XCKU5P) was used for
FPGA verification and performance analysis. As a result, the
FPGA implementation results show up to 36% better look-up
table (LUT) utilization efficiency than the Xilinx AES IP, and
up to 17.9 times better than the existing AES implementation
results.
Index Terms—Cryptography, AES, ASIC, FPGA, datapath.
I. I NTRODUCTION
DVANCED encryption standard (AES) [1] is a
A symmetric-key encryption method adopted as a standard
through a public offering by the U.S. National Institute of
Standards and Technology (NIST). The AES has a similar
structure to the data encryption standard (DES), in which
functions are repeatedly used. However, unlike the DES,
where security vulnerabilities have been found, the AES
uses a substitution-permutation network (SPN) structure in
the encryption and decryption process. The SPN requires an
Manuscript received 10 April 2023; revised 26 May 2023; accepted
3 July 2023. Date of publication 11 July 2023; date of current version
25 September 2023. This work was supported in part by the National Research
and Development Program through the National Research Foundation of
Korea (NRF) funded by the MSIT under Grant NRF-2021R1A2C2010228,
and in part by the Ministry of Science and Information and Communications
Technology (MSIT), South Korea, through the Information Technology
Research Center (ITRC) Support Program supervised by the Institute for
Information and Communications Technology Planning and Evaluation (IITP)
under Grant IITP-2022-2020-0-01461. This brief was recommended by
Associate Editor X. Xue. (Corresponding author: Myung Hoon Sunwoo.)
Useok Lee, Ho Keun Kim, and Myung Hoon Sunwoo are with
the Department of Electrical and Computer Engineering, Ajou
University, Suwon 16499, South Korea (e-mail: [email protected];
[email protected]; [email protected]).
Jeahack Lee is with the SoC Platform Research Center, Korea Electronics
Technology Institute, Seongnam 13509, South Korea (e-mail: jhk507@
keti.re.kr).
Digital Object Identifier 10.1109/TCSII.2023.3293999
1549-7747 
c 2023 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Amrita School of Engineering. Downloaded on July 20,2024 at 05:22:37 UTC from IEEE Xplore. Restrictions apply.
3797
inverse encryption process for decryption in contrast with
the Feistel structure, which employs the same procedure in
both encryption and decryption in the DES. The AES sup-
ports key lengths of 128/192/256 bits and is secure against
all known block encryption attacks. Since the AES shows
strong computation efficiency and high flexibility in hardware
implementation, it is widely used.
Research on the hardware implementation of the AES was
conducted from various perspectives on an application-specific
integrated circuit (ASIC) and a field-programmable gate array
(FPGA) [2], [3], [4], [5], [6], [7], [8], [9], [10], [11], [12].
The pipeline architectures [2] and unrolled architectures [3]
showed high performances. However, [2] and [3] have dis-
advantages by having large areas. References [4] and [5]
proposed design methods to reduce the datapath for the area
efficiency in hardware implementation. Reference [4] designed
the AES with a very low area at 8-bit datapath. Reference [5]
defined the optimal datapath by analyzing the trade-off rela-
tionship and conducted the AES design at 32-bit datapath.
References [6], [7], [8] implemented the AES with considering
various constraints in FPGA.
Our previous work [13] proposed a resource-efficient AES
design method considering the FPGA implementation charac-
teristics. Based on this, this brief proposes an area-efficient
AES intellectual property (IP) design approach based on the
analysis of the implementation characteristics of ASIC as well
as FPGA. This brief focuses on optimizing and analyzing
the design approach of Subbytes and MixColumns, which
take up the most significant portion of the AES hardware
area. Furthermore, this brief presents an area-efficient AES
IP design by analyzing the trade-off relationship between area
(ASIC gate count, FPGA resource utilization) and clock cycle
based on the datapath variations of each module.
The rest of this brief consists of the following. Section II
proposes the area-efficient AES design methods considering
ASIC and FPGA implementation characteristics. In addition,
Section II shows the analysis of the trade-off relationship
between area and clock cycles. Section III analyzes the
implementation results with other AES designs, and finally,
conclusions are drawn in Section IV.
II. P ROPOSED D ESIGN M ETHOD
A. SubBytes Design Analysis
Subbytes [1], a byte-wise non-linear substitution operation,
occupies the largest area in the AES hardware. There are
3798 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 70, NO. 10, OCTOBER 2023

Fig. 2. (a) Optimized 0 × 02 multiplier. (b) Optimized 0 × 03 multiplier.

Fig. 1. CFA-based SubBytes architecture.

TABLE I Direct comparison is difficult because each resource uses dif-

S UB B YTES D ESIGN M ETHOD C OMPARISON OF ASIC ferent physical cells, but Method-B is superior in utilization
S YNTHESIS R ESULTS
compared to the total available resources. On the other hand,
Method-A can be seen as superior in design flexibility because
LUTs have more usability when implementing hardware.

B. MixColumns Optimization
The MixColumns operations [1] are column-by-column
multiplication in GF, the same operations as polynomials mul-
tiplication followed by modulo operation with the irreducible
two ways to design SubBytes. The first method (Method-A) polynomial (2).
is designing the S-Box as a memory-based look-up table
f (x) = x8 + x4 + x3 + x + 1 (2)
(LUT) [1]. The second method (Method-B) is calculating the
inverse of the multiplication in GF(28 ) and designing the oper- The MixColumns operations can be simplified as multiplica-
ation according to the Affine transform as a combinational tion of fixed third-degree polynomial (3) followed by modulo
logic [14]. operation with (4).
For the design of Method-B, composite field arithmetic
(CFA) of (1) can be applied [14]. m(x) = {03}x3 + {01}x2 + {01}x + {02} (3)
n(x) = x4 + 1 (4)
(bx + c)−1 = b(b2 λ + c(b + c))−1 x + (c + b)(b2 λ + c(b + c))−1 (1)
These operations can be expressed as a matrix-based equa-
The SubBytes operation consists of the isomorphic (δ), tion as in (5).
inverse isomorphic (δ −1 ), squarer (b2 ), lambda multiplier (λ), ⎡ ⎤ ⎡ ⎤ ⎡ ⎤
c0 02 03 01 01 c0
multiplicative inversion ((·)-1 ), GF(24 ) multiplier, and Affine ⎢c ⎥ ⎢01 02 03 01⎥ ⎢c1 ⎥
⎢ 1 ⎥ = ⎢ ⎥ ⎢ ⎥
transform. The architecture of SubBytes can be designed, as ⎣c ⎦ ⎣01 01 02 03⎦ × ⎣c2 ⎦ (5)
shown in Fig. 1. 2
c3 03 01 01 02 c3
Table I presents the ASIC synthesis results of the SubBytes
module based on different design methods, where Lpath means Then, the byte-wise operation for each column in (5) can
the length of the datapath. Implementation of Method-B using be expressed as (6)–(9).
a combination circuit, as implemented through [6], shows an
average of 44% lower gate equivalent (GE) than the LUT- c0 = ({02} • c0 ) ⊕ ({03} • c1 ) ⊕ c2 ⊕ c3 (6)
based Method-A, where GE can be calculated by an equivalent c1 = c0 ⊕ ({02} • c1 ) ⊕ ({03} • c2 ) ⊕ c3 (7)
number of 2-input NAND gates. However, Method-A has a c2 = c0 ⊕ c1 ⊕ ({02} • c2 ) ⊕ ({03} • c3 ) (8)
62% shorter critical path delay (CPD) than Method-B. This c3 = ({03} • c0 ) ⊕ c1 ⊕ c2 ⊕ ({02} • c3 ) (9)
means that a faster circuit can be achieved when designed
with Method-A, which can impact the overall AES operation The byte operation method for (5) is defined as the xtime
speed if applied to the same AES architecture, as confirmed operation [1]. If the most significant bit (MSB) is 1 in this
by the results in Fig. 6 that will be presented later. operation, left shifting is performed, followed by a bitwise
Table II shows the comparison results of FPGA resource XOR operation with {1b}. For higher-dimensional values, the
utilization according to SubBytes design methods. FPGA xtime operation is repeated.
has dedicated design resources such as block random access Therefore, we optimized the {02} multiplier as Fig. 2(a). In
memory (BRAM) as well as LUTs and registers that are addition, since {03} is a continuous XOR operation of {01}
used flexibly for hardware implementation. Therefore, a direct and {02}, we optimized it as in Fig. 2(b). Since the result of
comparison like Table I is not possible. For the SubBytes multiplication with {01} is itself, multiplier implementation is
implementation, Method-A uses BRAM and Method-B uses not required. Fig. 3 shows the proposed 32-bit MixColumns
LUTs. The LUT mentioned in Method-B means one of the architecture using the optimized multipliers of Fig. 2(a) and
FPGA design resources, not a look-up table as in Method-A. Fig. 2(b).

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on July 20,2024 at 05:22:37 UTC from IEEE Xplore. Restrictions apply.
LEE et al.: AREA-EFFICIENT IP DESIGN OF ADVANCED ENCRYPTION STANDARD
Fig. 3. Proposed 32-bit datapath MixColumns architecture.
TABLE II
S UB B YTES D ESIGN M ETHOD C OMPARISON OF FPGA
I MPLEMENTATION R ESULTS
TABLE III
ASIC S YNTHESIS A REA C OMPARISON OF M IX C OLUMNS
TABLE IV
M IX C OLUMNS D ESIGN R ESOURCE U TILIZATION C OMPARISON
Tables III and IV show the ASIC area and the FPGA design
resource utilization results when implementing MixColumns.
In the MixColumns logic, the area is relatively small com-
pared to the SubBytes implementation result, as shown in
Tables I and II. Although Lpath = 8 and 16 MixColumnns
can be implemented, additional resources are required due to
the structural limitations of the MixColumns operation, which
is performed in units of columns. Therefore, it requires more
resources than the MixColumnns of 32-bit and consumes addi-
tional clock cycles. Thus, in this brief, Lpath = 32 MixColumns
is used as the basic design module.
C. Trade-Off Analysis According to Lpath Variation
This brief employs a round-based AES design
approach [15]. The AES round module consists of SubBytes,
ShiftRow, MixColumns, and AddRoundKey. ShiftRow is
Authorized licensed use limited to: Amrita School of Engineering. Downloaded on July 20,2024 at 05:22:37 UTC from IEEE Xplore. Restrictions apply.
3799
Fig. 4. Trade-off relationship between the area and clock cycles with the
change of Lpath .
implemented with simple wires or shift registers depending
on Lpath .
AddRoundKey requires parallel XOR gates equal to Lpath .
Based on the results in Tables I–IV and AddRoundKey imple-
mentation characteristic, we formulated the number of GEs
and LUTs of combinational logic required for designing round
modules in ASIC and FPGA as shown in (10) and (11).
531 × LPath L
Path
GEsRound = + 142 × MAX , 1 (10)
8 32
93 × LPath
LUTsRound = + MAX(LPath , 32) (11)
8
At this point, registers for pipeline architecture and serial-
parallel substitution, including ShiftRow, have not been con-
sidered. For example, the ShiftRow module with an Lpath of
128 in ASIC results uses only 128 GEs. However, if the Lpath
is not 128, the ShiftRow module can be implemented as a
mixed circuit of shift registers and wires. For example, if
the Lpath is 8 and 32, GEs of 1326 and 1383 are required,
respectively. Because of this, it is difficult to grasp the linear
relationship and can produce different results depending on
the design method.
The relationship between the area and clock cycles in a
round can be found in Fig. 4. GEsRound and LUTsRound denote
the number of GEs and LUTs required for a round module,
respectively. This brief proposes AES-128 encryption IPs for
three Lpath based on ASIC and FPGA implementation charac-
teristics shown in Fig. 4. The three Lpath for the proposed AES
IPs are as follows: Lpath = 32 with the sharpest slope change,
Lpath = 8 with the least LUT utilization, and Lpath = 128 with
the least CC consumption.
D. Proposed AES Architecture
Fig. 5 shows the basic architecture of the proposed round-
based AES. Each module is designed and modified for
each target Lpath . SubBytes, MixColumns, and AddRoundKey
inside the round module are in parallel according to the target
Lpath . Shift registers were used in serial-parallel I/O combi-
nation and distribution, including ShiftRows operations. The
round module is used for a total of 10 repetitions.
The En_sig is applied to the global counter, which outputs
data_in_sel, last_rnd_sig, rnd_sig, and key_in_sel signals. The
data_in_sel determines the input of the round module.
3800 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 70, NO. 10, OCTOBER 2023

Fig. 5. Proposed AES architecture.

The key_in_sel decides the input of the KeyExpansion. The

rnd_sig is used as an input of KeyExpansion for generat-
Fig. 6. ASIC synthesis results of the proposed AES designs.
ing the round key corresponding to each round. Since the
MixColumns operation does not need in the last round, the
TABLE V
global counter sends last_rnd_sig to the multiplexer to bypass ASIC S YNTHESIS R ESULTS C OMPARISON
the MixColumns operation. In addition, the last_rnd_sig
decides the final output of the proposed AES.

III. I MPLEMENTATION R ESULTS

The proposed AES IPs in this brief were designed using
Verilog HDL and synthesized using Samsung 28nm stan-
dard cell library and Synopsys Design Compiler for ASIC
performance comparison. The Xilinx UltraScale+ KCU116
evaluation board (XCKU5P) was used for FPGA verification
and performance analysis. Both Method-A (LUT-based) and
Method-B (CFA-based) were considered for SubBytes design,
and area and clock cycle analysis were performed according
to Lpath variation. Based on this, we designed six versions of
AES IPs with different Lpath and implementation methods. In
addition, the proposed decoders were designed with a fully-
pipelined architecture to achieve high operating frequency
and throughput. This brief uses area efficiency based on GEs
in ASIC and LUTs in FPGA, which can be represented as
follows.
Throughput
EfficiencyGEs = (12)
GEs AES IPs consume more power than [5] and [16]. However,
Throughput regarding area efficiency, especially for the proposed AES
EfficiencyLUTs = (13)
# of LUTs with Lpath = 128, each design shows 45% and 163% higher
Fig. 6 shows the ASIC synthesis results of the proposed normalized area efficiency than [4] and [16], respectively. In
AES designs. As reported in Section II-A, the CFA-based addition, for the 32-bit datapath AES, the proposed IP shows
SubBytes design (Method-B) has a smaller area than the LUT- 70% higher normalized area efficiency than [4] and 15 times
based SubBytes design (Method-A), but operates at a slower higher area efficiency than [5].
speed. When both Methods-A and B are applied to the same Table VI compares the implementation results between the
AES architecture, Method-B affects the critical path, as shown proposed AES IPs and Xilinx AES IP [17]. Since [17] does
in Fig. 6. For example, the AES designed with a 32-bit data- not use BRAM, AES IPs with Method-B were used for com-
path has 9.6% fewer GEs in Method-B than in Method-A, but paring under the same criteria. Reference [17] is implemented
has a 51.8% slower maximum operating frequency. Since the in two modes: low and high throughput. The trade-off rela-
area efficiency based on (11) is 46.5% lower in Method-B, the tionship between throughput and resource utilization of the
AES design in this brief used Method-A compared to other two modes can be shown in Table VI. The proposed AES IPs
references. were designed with low area as the top priority. Therefore,
Table V shows a comparison of synthesis results for the the comparison is performed with [17] for the low throughput
proposed AES designs. The proposed AES designs were not mode with low resource utilization. As a result, it can be seen
only designed for the low area but also for high operation that all three proposed AES IPs have lower design resource
frequency, which required a large number of registers for usages than the low mode of [17]. In addition, compared to
pipeline architecture. Therefore, the proposed AES designs use utilization efficiency, the proposed AES IP with Lpath = 32
more area than [4], [5], and [16]. In addition, the proposed and 128 are about 10% and 36% better, respectively.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on July 20,2024 at 05:22:37 UTC from IEEE Xplore. Restrictions apply.
LEE et al.: AREA-EFFICIENT IP DESIGN OF ADVANCED ENCRYPTION STANDARD
TABLE VI
FPGA I MPLEMENTATION R ESULTS C OMPARISON W ITH X ILINX AES IP
TABLE VII
C OMPARISON OF FPGA I MPLEMENTATION R ESULTS
Table VII shows the comparison results of the proposed
AES IPs with the Xilinx FPGA-based AES design of [6],
[7], [8]. Since Lpath = 32 showed the optimal utilization and
clock cycle trade-off relationship in Section III-C, we used
Lpath = 32 AES IPs for implementation results comparison in
Table IV. Both of the proposed AES IPs use the least num-
ber of design resources such as LUT, registers, and BRAM
compared to [6], [7], [8]. Although the throughputs of [6],
[7], [8] are higher than the proposed AES IP with Method-B,
the proposed IP shows 2.7 to 7.6 times higher utilization effi-
ciency. In addition, in the proposed AES IP with Method-A, its
throughput is higher than [7] and [8]. Furthermore, its utiliza-
tion efficiency is 17.9 times better than [6], and the proposed
IPs have superior efficiency in resource utilization.
IV. C ONCLUSION
This brief proposed an area-efficient AES IP design
method considering ASIC and FPGA implementation char-
acteristics. First, the implementation results of SubBytes and
MixColumns, the most significant components in AES, were
analyzed. Furthermore, the trade-off results between the area
and clock cycles in the round-based AES architecture were
analyzed. Based on this, we designed six versions of AES IPs
with different Lpath and implementation methods. For ASIC
synthesis results, the proposed AES IPs show a normalized
area efficiency of 70% over [4] and 15 times higher area effi-
ciency than [5] at a maximum target frequency of 60MHz.
In addition, the proposed AES IPs showed up to 36% better
Authorized licensed use limited to: Amrita School of Engineering. Downloaded on July 20,2024 at 05:22:37 UTC from IEEE Xplore. Restrictions apply.
3801
LUT utilization efficiency than the Xilinx AES IP [17], and
achieved about 17.9 times higher utilization efficiency than [6].
The proposed AES IPs are area efficient and are suitable for
systems where area efficiency is highly prioritized. However, a
countermeasure against side-channel attacks is required when
designing AES hardware. Therefore, if a design for side-
channel attacks is applied through follow-up research, it is
possible to design AES IPs with improved security and area
efficiency.
ACKNOWLEDGMENT
The EDA tool was supported by the IC Design Education
Center (IDEC), South Korea.
R EFERENCES
[1] “Advanced encryption standard,” U.S. Nat. Inst. Stand. Technol.,
Gaithersburg, MD, USA, Rep. NIST FIPS-197, 2001.
[2] S. K. Mathew et al., “53 Gbps native GF(24 )2 composite-field AES-
encrypt/decrypt accelerator for content-protection in 45 nm high-
performance microprocessors,” IEEE J. Solid-State Circuits, vol. 46,
no. 4, pp. 767–776, Apr. 2011.
[3] P. Maene and I. Verbauwhede, “Single-cycle implementations of block
ciphers,” in Lightweight Cryptography for Security Privacy, vol. 9542.
Cham, Switzerland: Springer, 2016, pp. 131–147.
[4] S. Mathew et al., “340 mV-1.1 V, 289 Gbps/W, 2090-gate nanoAES
hardware accelerator with area-optimized encrypt/decrypt GF(24 )2 poly-
nomials in 22 nm tri-gate CMOS,” IEEE J. Solid-State Circuits, vol. 50,
no. 4, pp. 1048–1058, Apr. 2015.
[5] D.-H. Bui, D. Puschini, S. Bacles-Min, E. Beigné, and X.-T. Tran, “AES
datapath optimization strategies for low-power low-energy multisecurity-
level Internet-of-Things applications,” IEEE Trans. Very Large Scale
Integr. (VLSI) Syst., vol. 25, no. 12, pp. 3281–3290, Dec. 2017.
[6] N. S. S. Srinivas and M. Akramuddin, “FPGA based hardware imple-
mentation of AES Rijndael algorithm for encryption and decryption,”
in Proc. Int. Conf. Elect. Electron. Optim. Techn. (ICEEOT), 2016,
pp. 1769–1776.
[7] S. P. Guruprasad and B. S. Chandrasekar, “An evaluation framework for
security algorithms performance realization on FPGA,” in Proc. IEEE
Int. Conf. Current Trends Adv. Comput. (ICCTAC), 2018, pp. 1–6.
[8] N. Jain, D. S. Ajnar, and P. K. Jain, “Optimization of advanced
encryption standard algorithm (AES) on field programmable gate array
(FPGA),” in Proc. Int. Conf. Commun. Electron. Syst. (ICCES), 2019,
pp. 1086–1090.
[9] H. K. Kim and M. H. Sunwoo, “Low power AES using 8-bit and 32-
bit datapath optimization for small Internet-of-Things (IoT),” J. Sign.
Process. Syst., vol. 91, 1283–1289, Dec. 2019.
[10] Y. Wang and Y. Ha, “FPGA-based 40.9-Gbits/s masked AES with area
optimization for storage area network,” IEEE Trans. Circuits Syst. II,
Exp. Briefs, vol. 60, no. 1, pp. 36–40, Jan. 2013.
[11] K. Shahbazi and S.-B. Ko, “Area-efficient nano-AES implementation
for Internet-of-Things devices,” IEEE Trans. Very Large Scale Integr.
(VLSI) Syst., vol. 29, no. 1, pp. 136–148, Jan. 2021.
[12] A. Nakashima, R. Ueno, and N. Homma, “AES S-box hardware with
efficiency improvement based on linear mapping optimization,” IEEE
Trans. Circuits Syst. II, Exp. Briefs, vol. 69, no. 10, pp. 3978–3982,
Oct. 2022.
[13] U. Lee, H. K. Kim, Y. J. Lim, and M. H. Sunwoo, “Resource-efficient
FPGA implementation of advanced encryption standard,” in Proc. IEEE
Int. Symp. Circuits Syst. (ISCAS), May 2022, pp. 1165–1169.
[14] P. V. S. Shastry, A. Agnihotri, D. Kachhwaha, J. Singh, and
M. S. Sutaone, “A combinational logic implementation of S-box of
AES,” in Proc. 2011 IEEE 54th Int. MWSCAS, Aug. 2011, pp. 1–4.
[15] P.-C. Liu, J.-H. Hsiao, H.-C. Chang, and C.-Y. Lee, “A 2.97 Gb/s DPA-
resistant AES engine with self-generated random sequence,” in Proc.
Eur. Solid-State Circuit Conf. (ESSCIRC), Sep. 2011, pp. 71–74.
[16] Y. Zhang, K. Yang, M. Saligane, D. Blaauw, and D. Sylvester, “A com-
pact 446 Gbps/W AES accelerator for mobile SoC and IoT in 40nm,”
in Proc. IEEE Symp. VLSI Circuits (VLSI-Circuits), Jun. 2016, pp. 1–2.
[17] Advanced Encryption Standard (AES) Engine PG383 (V1.1), LogiCORE
IP Product Guide, Xlinx, San Jose, CA, USA, Jun. 2020.