Novel Reversible Design of Advanced Encryption Standard Cryptographic Algorithm for Wireless Sensor Networks
 102 Downloads
Abstract
The quantum of power consumption in wireless sensor nodes plays a vital role in power management since more number of functional elements are integrated in a smaller space and operated at very high frequencies. In addition, the variations in the power consumption pave the way for power analysis attacks in which the attacker gains control of the secret parameters involved in the cryptographic implementation embedded in the wireless sensor nodes. Hence, a strong countermeasure is required to provide adequate security in these systems. Traditional digital logic gates are used to build the circuits in wireless sensor nodes and the primary reason for its power consumption is the absence of reversibility property in those gates. These irreversible logic gates consume power as heat due to the loss of per bit information. In order to minimize the power consumption and in turn to circumvent the issues related to power analysis attacks, reversible logic gates can be used in wireless sensor nodes. This shifts the focus from powerhungry irreversible gates to potentially powerful circuits based on controllable quantum systems. Reversible logic gates theoretically consume zero power and have accurate quantum circuit model for practical realization such as quantum computers and implementations based on quantum dot cellular automata. One of the key components in wireless sensor nodes is the cryptographic algorithm implementation which is used to secure the information collected by the sensor nodes. In this work, a novel reversible gate design of 128bit Advanced Encryption Standard (AES) cryptographic algorithm is presented. The complete structure of AES algorithm is designed by using combinational logic circuits and further they are mapped to reversible logic circuits. The proposed architectures make use of Toffoli family of reversible gates. The performance metrics such as gate count and quantum cost of the proposed designs are rigorously analyzed with respect to the existing designs and are properly tabulated. Our proposed reversible design of AES algorithm shows considerable improvements in the performance metrics when compared to existing designs.
Keywords
Reversible logic Security Cryptography AES algorithm Toffoli gates Low power Wireless sensor networks Power analysis attacks1 Introduction
The reversible logic has demonstrated promising results in emerging applications of computing paradigm such as quantum computation and nanotechnology [1, 2]. Reversible logic was first related to power when Landauer stated that information loss due to functional irreversibility leads to power dissipation [3]. This principle is further supported by Bennett that zero power dissipation can be achieved only when the circuit contains reversible gates [4]. A cryptographic algorithm is an essential part in building secure systems to protect information against attacks. A wellknown cryptographic algorithm is the Data Encryption Standard [5], which has been widely adopted in many security products. However, serious considerations arise for longterm security because of the relatively short key word length of only 56 bits and due to the highly successful cryptanalysis attacks.
In November 2001, the National Institute of Standards and Technology (NIST) of the United States chose the Rijndael algorithm as the suitable Advanced Encryption Standard (AES) [6] to replace the DES algorithm. Since then, many hardware implementations have been proposed in literature. Some of the works target field programmable gate arrays (FPGA) [7] as the implementation platform and some target applicationspecific integrated circuits (ASIC) [8]. But both FPGA and ASIC implementations consume power from its source which leads to information leakage through side channel attacks.
Quantum computing is a new paradigm for implementing cryptographic algorithms using reversible gates [9]. The primary reason for this is the increasing demands for low power and increased security for the computing devices. As our computing demands become more complex, the power requirements tend to increase. This further leads to a prominent side channel attack namely power analysis attacks on cryptographic systems, notably categorized as simple power analysis (SPA), differential power analysis (DPA) and high order power analysis (HOPA) attacks. Cryptographic systems implemented with reversible gates ideally consume zero power and hence thwarts all side channel attacks related to power analysis. Energy efficient implementations of reversible building blocks to counterattack power analysis attacks were proposed in [10]. By using proper charge sharing mechanism, resistance to power analysis attacks has been achieved in their proposed implementations.
In Ref. [11], an attempt has been made to apply reversible logic to develop secure cryptosystems against power analysis attacks. A prototype of reversible Arithmetic and Logic Unit (ALU) for cryptoprocessor was presented in that work. Reversible Montgomery multipliers were proposed to resist power analysis attacks in crypto hardware [12]. The various functional blocks in AES have been synthesized using Toffoli family of reversible gates in [13]. The reversible gate design of AES SubBytes and Inverse SubBytes transformations were proposed in [14]. The reversible gate design of finite field architectures for Elliptic Curve Cryptography was proposed in [15].
In the current work, a well optimized reversible gate design of 128bit AES cryptographic algorithm is presented. First, the key transformations in the algorithm are synthesized by using conventional logic gates. Then the transformations are mapped to reversible logic and are synthesized by using reversible logic gates. The reversible logic synthesis is optimized by reusing the existing reversible gates wherever applicable so that the performance metrics are improved.
The paper is organized as follows. The background of reversible logic gates and their quantum cost are given in Sect. 2. Section 3 highlights the transformation steps in AES cryptographic algorithm. The proposed reversible building blocks of AES algorithm are explained in Sect. 4. The performance analysis of the proposed reversible design with the existing designs is given in Sect. 5. Section 6 concludes the paper with necessary references.
2 Background on Reversible Logic Gates

NOT: a′ = 1 ⊕ a

CNOT: a′ = a, b′ = a ⊕ b

TOFFOLI: a′ = a, b′ = b, c′ = c ⊕ ab

SWAP: b′ = a, a′ = b

FREDKIN: a′ = a, b′ = a′b + ac, c′ = ab + a′c.
The reversible logic synthesis can be done either with Toffoli gate family or Fredkin gate family since both are universal gates. In our proposed reversible design, Toffoli family of reversible gates has been used for reversible logic synthesis. The quantum cost of Toffoli gate with 0, 1 and 2 control lines is 1, 1, and 5 respectively. The performance metrics considered for reversible gate design are number of ancilla inputs, number of garbage outputs, number of reversible gates used, its quantum cost and delay in terms of number of stages. Ancilla inputs (Constants with either 0 or 1) and Garbage outputs are information that is not needed for the actual computation. They are required since the reversibility necessitates an equal number of outputs and inputs. Quantum cost denotes the effort needed to transform a reversible circuit to a quantum circuit [16].
3 Background on AES Algorithm
The AES algorithm (FIPS 2001) is a symmetric block cipher that processes data blocks of 128 bits using a cipher key of length 128, 192, or 256 bits. Each data block consists of a 4 × 4 array of bytes called the state S, on which the basic operations of the AES algorithm are performed. In the encryption process, after an initial round key addition, a round function consisting of four different transformations—SubBytes, ShiftRows, MixColumns and AddRoundKey—is applied to the data block in the encryption process.
The SubBytes transformation is a nonlinear byte substitution that operates independently on each byte of the state S using a substitution table (SBox). The ShiftRows operation is a circular shifting on the rows of the state with different numbers of bytes (offsets). The MixColumns transformation mixes the bytes in each column of the state by the multiplication with a fixed polynomial modulo x^{4} + 1. AddRoundKey is an XOR operation that adds a round key to the state S in each iteration, where the round keys are generated during the key expansion phase. The round function is performed iteratively 10, 12, or 14 times (Nr), depending on the key length of 128, 192 or 256bits respectively.
4 Proposed Reversible Building Blocks of AES Transformations
In this research, the major transformations of AES algorithm such as SubBytes [14], MixColumns, ShiftRows, AddRoundKey and Key scheduler are deduced using conventional logic gates. Then, conventional logic gates are mapped to reversible logic gates and are reused wherever possible in order to optimize the performance metrics.
The proposed reversible gate design of AES algorithm utilizes Toffoli family of reversible gates for their logic synthesis and is optimized in terms of reduced number of ancilla inputs, garbage outputs, gate count, quantum cost and delay. The functional verification of the proposed reversible gate designs is carried out by writing Verilog code for each reversible gate and integrating them. Xilinx ISE 13.2 is used for simulation purpose.
4.1 SubBytes and InvSubBytes Transformations
In the encryption module, the SubBytes transformation is a nonlinear transformation, which computes the multiplicative inverse of each byte of the state S in GF(2^{8}) with irreducible polynomial P(x) = x^{8} + x^{4} + x^{3} + x + 1 followed by an affine transformation. The transformation in the decryption module performs the inverse of the corresponding transformation in the encryption module.
4.1.1 Design Approaches
The SubBytes and InvSubBytes transformations can be implemented by two different approaches. They can be either constructed as a single circuit whose input–output relation is directly equivalent to the SubBytes transformation known as Lookup Table (LUT) approach or constructed as a multiplicative inversion circuit and an affine transformation circuit independently. Then, these two circuits are cascaded to design the SubBytes transformation known as composite field arithmetic approach.
4.1.2 Composite Field Arithmetic Approach

δ → Isomorphic mapping from GF(2^{8}) to composite fields

x^{2} → Squarer in GF(2^{4})

xλ → Multiplication with constant λ in GF(2^{4})

⊕ → Addition operation in GF(2^{4})

x^{−1} → Multiplicative inversion in GF(2^{4})

X → Multiplication operation in GF(2^{4})

δ^{−1} → Inverse isomorphic mapping to GF(2^{8}).

SubBytes transformation: multiplicative inversion in GF(2^{8}) followed by Affine transformation.

InvSubBytes transformation: inverse affine transformation followed by Multiplicative inversion in GF(2^{8}).
4.1.3 Proposed Reversible Multiplicative Inverse Module in GF(2^{8})
Since reversible gate designs are functionally reversible, it is sufficient to design either forward isomorphic mapping or inverse isomorphic mapping. The number of XOR operations required in the forward isomorphic mapping is 24 whereas inverse isomorphic mapping takes only 23 XOR operations. Hence, inverse isomorphic mapping function has been designed by using reversible gates in this research and the same design can be used for forward isomorphic mapping also.
Performance analysis of proposed reversible building blocks of multiplicative inverse module in GF(2^{8})
Name of the block  No. of ancilla inputs  No. of garbage outputs  No. of reversible gates  Quantum cost  Delay 

IsoMap/InvIsoMap  0  0  CNOT—15  15  13 
Squarer and multiplication by constant λ  0  0  CNOT—4  4  3 
Adder (XOR block)  0  4  CNOT—4  4  1 
Multiplication in GF(2^{4})  13  17  CNOT—25 CCNOT—9  70  18 
Multiplicative inverse in GF(2^{4})  8  8  CNOT—14 CCNOT—8  54  19 
Performance comparison of reversible multiplicative inverse modules in GF(2^{4})
Name of the approach  No. of ancilla inputs  No. of garbage outputs  No. of reversible gates  Quantum cost  Delay 

Square–multiply  34  42  CNOT—70 CCNOT—18  160  56 
Multiple decomposition  14  14  CNOT—22 CCNOT—9  67  19 
Direct mapping  8  8  CNOT—14 CCNOT—8  54  19 
From Table 2, it can be inferred that the multiplicative inverse in GF(2^{4}) can be efficiently computed with direct mapping approach, since it takes less number of reversible gates and the quantum cost involved is also less. This is because, the composite field approach will not give optimum results when the order of the field involved is small such as GF(2^{4}). Hence, in the proposed reversible SubBytes and InvSubBytes transformations, the multiplicative inverse in GF(2^{4}) is calculated by direct mapping approach.
Performance analysis of proposed reversible multiplicative inverse module in GF(2^{8})
Name of the block  No. of ancilla inputs  No. of garbage outputs  No. of reversible gates  Quantum cost  Delay 

IsoMap/InvIsoMap  0  0  CNOT—30  30  26 
Squarer and multiplication by constant λ  0  0  CNOT—4  4  3 
Adder (XOR block)  0  8  CNOT—8  8  2 
Multiplication in GF(2^{4})  39  51  CNOT—75 CCNOT—27  210  36 
Multiplicative inverse in GF(2^{4})  8  8  CNOT—14 CCNOT—8  54  19 
Proposed reversible GF(2^{8}) multiplicative inversion module  47  67  CNOT—131 CCNOT—35  306  83 
4.1.4 Proposed Reversible Affine Transformation Block
Performance analysis of proposed reversible subbytes/invsubbytes transformation module
Name of the block  No. of ancilla inputs  No. of garbage outputs  No. of reversible gates  Quantum cost  Delay 

Multiplicative inverse in GF(2^{8})  47  67  CNOT—131 CCNOT—35  306  83 
Affine transformation  0  0  NOT—4 CNOT—21  25  21 
Proposed reversible SubBytes/InvSubBytes transformation module  47  67  NOT—4 CNOT—152 CCNOT—35  331  104 
4.1.5 Proposed Reversible SubBytes/InvSubBytes Transformation Blocks
4.1.6 Performance Analysis
Performance comparison of reversible subbytes/invsubbytes transformation modules
Name of the block  Gate count  Quantum cost  % Reduction  

Conventional design  Proposed design  Conventional design  Proposed design  Gate count  Quantum cost  
IsoMap/InvIsoMap  46  30  46  30  35  35 
Squarer and multiplication by constant λ  8  4  8  4  50  50 
Adder (XOR block)  8  8  8  8  –  – 
Multiplication in GF(2^{4})  153  102  261  210  33  20 
Multiplicative inverse in GF(2^{4})  46  22  146  54  52  63 
Affine transformation  36  25  36  25  31  31 
Proposed reversible SubBytes/InvSubBytes transformation  297  191  505  331  36  35 
4.2 MixColumns and InvMixColumns Transformations
The MixColumns transformation operates on the state columnbycolumn, treating each column as a fourterm polynomial (FIPS 2001). In this transformation, each byte of a column is replaced by a function of all the bytes in the same column. Here, each transformation is based on the polynomial c(x) = {03}x^{3} + {01}x^{2} + {01}x + {02}. This polynomial is coprime to x^{4} + 1 and therefore invertible with d(x) = {0B}x^{3} + {0D}x^{2} + {09}x + {0E} as the inverse. So, the InvMixColumns transformation is constructed with the polynomial d(x) where d(x) = c^{−1}(x).
4.2.1 Proposed Reversible MixColumns Transformation
Performance analysis of reversible mixcolumns transformation block
Metrics  Block 1  Block 2  Proposed reversible block 

Ancilla inputs  4  0  32 
Garbage outputs  0  8  32 
No. of reversible gates  12  11  140 
Quantum cost  12  11  140 
Delay  8  11  19 
4.2.2 Design of Reversible InvMixColumns Transformation
Performance analysis of reversible invmixcolumns transformation module
Metrics  Reversible MixColumns design  Inverse block 1  Inverse block 2  Inverse block 3  X4Time  Proposed reversible block 

Ancilla inputs  32  0  8  0  0  48 
Garbage outputs  32  0  0  8  0  48 
No. of reversible gates  140  8  8  8  5  214 
Quantum cost  140  8  8  8  5  214 
Delay  19  1  1  1  5  28 
4.2.3 Performance Analysis
Performance comparison of reversible invmixcolumns transformation modules
4.3 Shiftrows and InvShiftRows Transformations
4.3.1 InvShiftRows Transformation
The ShiftRows transformation provides a simple permutation of the data, whereas the other transformations involve substitutions. Further, since the state is treated as a block of columns, it is this step which provides the diffusion of values between columns. The ShiftRows step operates on the rows of the state. It cyclically shifts the bytes in each row. The first row is left unchanged. Each byte of the second row is shifted one to the left. Similarly, the third and fourth rows are left shifted by two and three respectively.
4.3.2 InvShiftRows Transformation
InvShiftRows is the inverse of the ShiftRows transformation. The bytes in the last three rows of the state are cyclically shifted over different numbers of bytes. The first row is not shifted. Each byte of the second row is shifted one to the right. Similarly, the third and fourth rows are left shifted by two and three respectively. Both ShiftRows and InvShiftRows transformations involve cyclic shifting of bytes of data either to the right or to the left direction. Hence, these transformations do not require any specific reversible gates to perform the operations.
4.4 AddRoundKey Transformation
Performance analysis of AddRoundKey transformation module
Functional block  Number of gates  Quantum cost  Delay  Garbage output  Ancilla input 

AddRoundKey transformation  CNOT—128  128  1  128  0 
4.5 Proposed Reversible Key Scheduler
 1.
The RotWord() step which cyclically shifts each byte in a word one byte to the left can be implemented by wiring alone.
 2.
The SubWord() step which applies SubBytes transformation to each of the four bytes in a word requires the same Sboxes as used in the main encryption flow.
 3.
The Rcon is a constant word array and only the leftmost byte in each word is nonzero. As only one byte of Rcon is nonzero, and thus, only 8 CNOT gates are required to XOR the Rcon value with the output which is obtained from the previous step.
 4.
An 128bit XOR operation is done by using 128 CNOT gates for the final step.
Performance analysis of proposed reversible key scheduler
Functional block  Number of gates  Quantum cost  Delay  Garbage output  Ancilla input 

RotWord  0  0  0  0  0 
SubBytes transformation  CNOT—152 NOT—4 CCNOT—35  331  104  67  47 
XOR with rcon  CNOT—8  8  1  8  0 
XOR operation  CNOT—32  32  1  32  0 
Key scheduler  CNOT—2592 NOT—64 CCNOT—560  5456  109  1232  752 
5 Performance Analysis of Reversible AES Design
5.1 Proposed Reversible AES Encryption Module
Performance analysis of proposed reversible AES encryption module
Functional block  Number of gates  Quantum cost  Delay  Garbage output  Ancilla input 

Round 0 (initial round)  CNOT—2720 NOT—64 CCNOT—560  5584  109  1360  752 
Rounds 1–9  CNOT—52,560 NOT—1152 CCNOT—10,080  104,112  1918  24,192  14,688 
Final round  CNOT—2560 NOT—64 CCNOT—560  5424  105  1200  752 
128AES encryption  CNOT—57,840 NOT—1280 CCNOT—11,200  115,120  2132  26,752  16,192 
5.2 Proposed Reversible AES Decryption Module
Performance comparison of reversible AES decryption modules
Parameters`  Inverse cipher method  Equivalent inverse cipher method 

Number of gates  CNOT—60,504 NOT—1280 CCNOT—11,200  CNOT—62,430 NOT—1280 CCNOT—11,200 
Quantum cost  117,784  119,710 
Delay  1412  1440 
Garbage output  27,328  27,760 
Ancilla input  16,768  17,200 
Performance analysis of proposed reversible AES decryption module
Functional block  Number of gates  Quantum cost  Delay  Garbage output  Ancilla input 

Round 0 (initial round)  CNOT—2720 NOT—64 CCNOT—560  5584  109  1360  752 
Rounds 1–9  CNOT—55,224 NOT—1152 CCNOT—10,080  106,776  1198  24,768  15,264 
Final round  CNOT—2560 NOT—64 CCNOT—560  5424  105  1200  752 
AES decryption  CNOT—60,504 NOT—1280 CCNOT—11,200  117,784  1412  27,328  16,768 
5.3 Performance Improvement
The proposed reversible SubBytes/InvSubBytes transformation module of AES crypto core shows 36% reduction in gate count and 35% reduction in quantum cost compared to the conventional reversible designs. In addition, the proposed design shows 35% reduction in gate count and 97% reduction in quantum cost compared to the existing design of reversible SubBytes and InvSubBytes transformation module.
Performance improvements in proposed reversible AES design
Functional block  Gate count  Quantum cost  % Reduction  

[13]  Proposed design  [13]  Proposed design  Gate count  Quantum cost  
SubByte module  294  191  11,602  331  35  97 
MixColumns module  736  140  1952  140  81  93 
AddRoundKey module  128  128  128  128  –  – 
Key scheduler module  4832  3216  185,760  5456  33  97 
Reversible AES design  109,664  70,320  3749,408  115,120  36  97 
6 Conclusion
A novel reversible gate design of complete 128bit AES algorithm is presented. Since the reversible logic gates ideally consume zero power and their quantum computing based implementation is less sensitive to power analysis attacks, they are exploited to construct the AES algorithm in this work. The Toffoli family of reversible gates are used in the proposed designs and the reversible logic gates are reused as much as possible in order to optimize the performance metrics in the proposed structures. The proposed reversible gate design of AES algorithm gives 36% reduction in gate count and 97% reduction in quantum cost when compared to the existing design. Hence, the proposed design can be effectively used to protect confidential data in low power and secure applications such as wireless sensor networks.
References
 1.Merkle, R. C. (1993). Two types of mechanical reversible logic. Nanotechnology, 4(2), 114–131.CrossRefGoogle Scholar
 2.Younism, S. G., & Knight, T. F. (1994). Asymptotically zero energy splitlevel charge recovery logic. In Proceedings of international workshop on low power design (pp. 177–182).Google Scholar
 3.Landauer, R. (1961). Irreversibility and heat generation in the computing process. IBM Journal of Research and Development, 5(3), 183–191.MathSciNetCrossRefzbMATHGoogle Scholar
 4.Bennett, C. (1973). Logical reversibility of computation. IBM Journal of Research and Development, 17(6), 525–532.MathSciNetCrossRefzbMATHGoogle Scholar
 5.Schneier, B. (1996). Applied cryptography. New York: Wiley.zbMATHGoogle Scholar
 6.National Institute of Standard and Technology (NIST). (2001). Advanced Encryption Standard (AES), FIPS197.Google Scholar
 7.Chodowiec, P., & Gaj, K. (2003). Very compact FPGA implementation of the AES algorithm. In Proceedings of cryptographic hardware and embedded systems (pp. 319–333).Google Scholar
 8.ChihPin, S., et al. (2003). A highthroughput lowcost AES processor. IEEE Communications Magazine, 41(12), 86–91.CrossRefGoogle Scholar
 9.Saravanan, P., & Kalpana, P. (2013). A novel and systematic approach to implement reversible gates in quantum dot cellular automata. WSEAS Transactions on Circuits and Systems, 12(10), 307–316.Google Scholar
 10.Saravanan, P., & Kalpana, P. (2014). Energy efficient reversible building blocks resistant to power analysis attacks. Journal of Circuits, Systems and Computers, 23(9), 14501271–145012740.CrossRefGoogle Scholar
 11.Thapliyal, H., & Zwolinski, M. (2006). Reversible logic to cryptographic hardware: A new paradigm. In 49th IEEE international midwest symposium on circuits and systems (Vol. 1).Google Scholar
 12.Nayeem, N. M., Jamal, L., & Babu, H. M. H. (2009). Efficient reversible montgomery multiplier and its application to hardware cryptography. Journal of Computer Science, 5(1), 49–56.CrossRefGoogle Scholar
 13.Datta, K., Shrivastav, V., Sengupta, I., & Rahaman, H. (2013). Reversible logic implementation of AES algorithm. In Proceedings of 8th international conference on design & technology of integrated systems in nanoscale era (pp. 140–144).Google Scholar
 14.Saravanan, P., & Kalpana, P. (2015). Design of SubBytes and InvSubBytes transformations of AES algorithm using power analysis attack resistant reversible logic gates. Australian Journal of Basic and Applied Sciences, 9(1), 8–18.Google Scholar
 15.Saravanan, P., & Kalpana, P. (2015). Performance analysis of reversible finite field arithmetic architectures over GF(p) and GF(2m) in elliptic curve cryptography. Journal of Circuits, Systems and Computers, 24(8), 1550122–1550150.CrossRefGoogle Scholar
 16.Robert, W. (2011). An introduction to reversible circuit design. In Saudi international electronics, communications and photonics conference.Google Scholar
 17.Rudra, A., Dubey, P. K., Jutla, C. S., Vijay Kumar, Rao, J. R., & Rohatgi, P. (2001). Efficient Rijndael encryption implementation with composite field arithmetic. In Proceedings of 3rd international workshop on cryptographic hardware and embedded systems (pp. 175–188).Google Scholar
 18.Zhang, X., & Parhi, K. K. (2004). Highspeed VLSI architectures for the AES algorithm. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 12(9), 957–967.CrossRefGoogle Scholar
 19.Mui, E. (2007). Practical implementation of Rijndael SBox using Combinational logic. <http://www.xess.com/static/media/projects/Rijndael_SBox.pdf>.
 20.Fischer, V., Drutarovsky, M., Chodowiec, P., & Gramain, F. (2005). InvMixColumn decomposition and multilevel resource sharing in AES implementations. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 13(8), 989–992.CrossRefGoogle Scholar
 21.Hua, L., & Friggstad, Z. (2005). An efficient architecture for the AES mix columns operation. IEEE International Symposium on Circuits and Systems, 5, 4637–4640.Google Scholar
 22.Nalini, C., Anandmohan, P. V., Poornaiah, D. V. (2010). Mix/InvMixColumn decomposition and resource sharing in AES. In International conference on industrial and information systems (pp. 166–171).Google Scholar