Satellite on-board encryption by Banu, Pokhali Sayeda Roohi
Satellite On-Board Encryption 
Pokhali Sayeda Roohi Bano 
Submitted for the Degree of 
Doctor of Philosophy 
from the 
University of Surrey 
Surrey Space Centre 
School of Electronics and Physical Sciences 
University of Surrey 
Guildford, Surrey GU2 7XH, UK 
October 2007 
© Pokhali Sayeda Roohi Banu 2007 
To OUR LITILE DAUGHTER 
Sana 
Summary 
Summary 
In the light of latest intrusions into satellite data the demand to protect the sensitive 
and valuable data transmitted from satellites to ground has increased and hence the 
need to use encryption on-board. The Advanced Encryption Standard (AES), which is 
a very popular choice in terrestrial communications, is slowly emerging as the 
preferred option in the aerospace industry including satellites. 
Computing systems on-board satellites have limited power and computational 
resources as in terrestrial embedded systems. With these constraints in mind various 
implementations of the AES algorithm using different optimization techniques have 
been carried out on FPGAs and the implementations have been evaluated in terms of 
power, throughput and device area. 
Satellites operate in a harsh radiation environment and consequently any electronic 
system used on board, including the encryption processor, is susceptible to radiation-
induced faults. Hence, in addition to consuming limited resources, the encryption 
processor should be immune to radiation induced faults to avoid faulty data 
transmission to ground station. Most of the faults that occur in satellite on-board 
electronic devices are radiation induced bit flips called single event upsets (SEUs). A 
detailed novel analysis of the effect of faults on imaging and telemetry data during on-
board encryption is carried out. Also the impact of faults in the data which occur 
during transmission to the ground station due to noisy channels is discussed and 
compared. In order to avoid data corruption due to SEUs a novel fault-tolerant model 
of the AES is presented, which is based on the Hamming error correction code. 
Implementation of the proposed model is carried out on FPGAs and measurements of 
the power and throughput overhead are presented. 
Key words: Satellites, Advanced Encryption Standard (AES), AES modes, FPGA, 
radiation faults, fault propagation, Single Event Upset (SEU), fault tolerance, fault 
detection and correction and error correcting codes. 
Email: R.Banu@surrey.ac.uk 
i 
Acknowledgments 
Acknowledgments 
First and foremost I am very grateful to the Almighty for giving me the opportunity to 
carry out this study. 
I am deeply indebted to my supervisor, Dr. Tanya Vladimirova for her invaluable 
suggestions and superb guidance throughput this PhD study. Without her constant 
support and encouragement, at both personal and professional levels, this journey of 
PhD would have been just impossible to carry out. 
I am very grateful to Prof. Sir Martin Sweeting for his valuable feedback on my work 
during this research program. I would like to say a big thank you to Karen Collar for 
the support and help throughout my stay at Surrey Space Centre (SSC). 
I would like to thank SSC besides providing me financial support to carryout my PhD 
it also provided a good environment and infrastructure to work. I am also thankful to 
UniversitiesUK for awarding me Overseas Research Studentship (ORS) to partly fund 
my PhD study. 
I am grateful to my family members including my dear parents, who worked 
extremely hard to provide us the best education, my late grand parents, who always 
wished and prayed for my success, my loving sisters and brother and many other 
family members and friends. Most importantly I would like to say thank you to my 
husband Fakruddin, whose unwavering support and constant encouragement helped 
me to stay on track with my studies. Without his rock solid support this PhD study 
would have been just stayed in my dreams. And finally I would like to say a huge 
thank you to my wonderful little daughter Sana Mohammed, who is very kind enough 
to allow me to carry out my PhD studies. She deserves all the credit and I don't have 
any words to describe her patience at such a young age. I would like to dedicate this 
thesis to my lovely little angle Sana, my most precious gift. 
ii 
Index 
Index 
Summary ....................................................................................................................... i 
Acknowledgments ........................................................................................................ ii 
Index ............................................................................................................................ iii 
List of Figures ............................................................................................................. vi 
List of Tables ............................................................................................................... ix 
Glossary of Terms ........................................................................................................ x 
List of Symbols .......................................................................................................... xiv 
1 Introduction .............................................................................................................. 1 
1.0 Motivation ........................................................................................................... 1 
1.1 Objectives of the Thesis ...................................................................................... 4 
1.2 Novelty of the Research Work ............................................................................ 4 
1.3 Structure of the Thesis ......................................................................................... 5 
1.4 Publications ......................................................................................................... 7 
2 Encryption: Introduction & Algorithms ................................................................ 9 
2.0 Introduction ......................................................................................................... 9 
2.1 Introduction to Security Services ...................................................................... 10 
2.1.1 Confidentiality ............................................................................................ 10 
2.1.2 Authentication ............................................................................................ 12 
2.1.3 Integrity ...................................................................................................... 13 
2.2 Introduction to Symmetric Key Encryption ...................................................... 14 
2.2.1 Principles of Symmetric Key Algorithms ................................................... 15 
2.2.2 Brief History of Symmetric Key Algorithms ............................................. 16 
2.2.3 Introduction to the AES Algorithm ............................................................ 16 
2.3 Encryption Using the AES Algorithm ............................................................... 19 
2.3.1 Encryption of Round Transfonnations ....................................................... 20 
2.3.2 Key Expansion ............................................................................................ 25 
2.4 Decryption Using the AES Algorithm ............................................................... 26 
2.4.1 Straight Forward Decryption ...................................................................... 27 
iii 
Index 
2.4.2 Equivalent Decryption ................................................................................ 28 
2.4.3 Decryption of Round Transfonnations ....................................................... 29 
2.5 The AES Modes ................................................................................................. 30 
2.5.1 ECB Mode .................................................................................................. 30 
2.5.2 CBC Mode .................................................................................................. 31 
2.5.3 OFB Mode .................................................................................................. 32 
2.5.4 CFB Mode .................................................................................................. 33 
2.5.5 CTR Mode .................................................................................................. 33 
2.5.6 Discussion ................................................................................................... 34 
2.6 Implementation Approaches to AES ................................................................. 35 
2.6.1 Architectural Optimization Techniques ...................................................... 35 
2.6.2 Algorithmic Optimization Techniques ....................................................... 38 
2.6.3 Implementation of Key Expansion ............................................................. 40 
2.7 Literature Survey of AES Implementations ...................................................... 40 
2.7.1 Review of AESHardware Implementations .............................................. 41 
2.8 Conclusions ....................................................................................................... 45 
3 Satellite On-Board Encryption .............................................................................. 47 
3.0 Introduction ....................................................................................................... 47 
3.1 Overview to Small Satellites ............................................................................. 47 
3.1.1 Small Satellites Missions ............................................................................ 49 
3.1.2 Earth Observation Small Satellite On-Board Block Diagram .................... 52 
3.2 'Encryption Used in Present Earth Observation Satellites ................................. 56 
3.2.1 STRV - Id ................................................................................................... 57 
3.2.2 KOMPSAT - 2 ........................................................................................... 57 
3.2.3 MetOp-A ..................................................................................... : ............... 58 
3.2.4 RASAT ....................................................................................................... 60 
3.2.5 RADARSA T -2 ........................................................................................... 61 
3.3 On-Board Security Architecture for Earth Observation Small Satellites .......... 61 
3.3.1 Security Services for Uplink Commands ................................................... 62 
3.3.2 Security Services for Downlink Data ......................................................... 63 
3.4 Encryption of Satellite Images .......................................................................... 64 
3.4.1 Encryption of Satellite Images Using AES Modes .................................... 64 
3.5 Conclusions ....................................................................................................... 66 
4 Design Space Exploration of the AES Algorithm ................................................ 67 
4.0 Introduction ....................................................................................................... 67 
4.1 AES Implementation: Platform and Technology .............................................. 67 
4.1.1 Hardware or Software platform? ................................................................ 68 
4.1.2 FPGA or ASIC? .......................................................................................... 69 
4.1.3 Antifuse or SRAM FPGAs? ....................................................................... 70 
4.1.4 Structure ofSRAM Based FPGAs ............................................................. 71 
4.1.5 Suitable Platform for the Implementation of AES for On-Board Use ....... 73 
4.1.6 Overview of the Radiation Environment and Effects on Integrated Circuits 
............................................................................................................................. 74 
4.1.7 Radiation Effects in SRAM Based FPGA .................................................. 77 
4.1.8 Fault-Tolerant Approaches for SRAM Based FPGA Design ..................... 77 
4.1.9 SEU Mitigation Techniques in SRAM Based FPGAs ............................... 78 
4.1.10 Redundancy Methods for SEU Mitigation ............................................... 80 
iv 
Index 
4.2 FPGA Development Tools & Flow ................................................................... 82 
4.2.2 Design Parameters ...................................................................................... 85 
4.3.1 AES Implementations Using Algorithmic Optimizations .......................... 87 
4.3.2 Effect of Algorithmic Optimization ........................................................... 89 
4.3.3 AES Implementations Using Architectural Optimizations ........................ 92 
4.3.4 Effect of Architectural Optimization .......................................................... 94 
4.3.4 Effect ofFPGA Technology ....................................................................... 96 
4.3.5 Discussion ................................................................................................... 99 
4.4 Conclusions ....................................................................................................... 99 
5 Fault Tolerant Model of the AES Algorithm ..................................................... 101 
5.0 Introduction ..................................................................................................... 101 
5.1 Faults in Satellite Data ..................................................................................... 102 
5.2 Fault Propagation in AES Modes .................................................................... 103 
5.2.1 AES Modes for On-Board Use ................................................................. 107 
5.3 Fault Detection ................................................................................................ 108 
5.3.1 Parity Based Fault Detection AES Model ................................................ 109 
5.4 Fault-Tolerant AES Model .............................................................................. 112 
5.4.1 Model Description .................................................................................... 1 13 
5.4.2 Software Simulation ................................................................................. 117 
5.4.3 Hardware Implementation of the Fault-Tolerant AES ModeL ................ 120 
5.5 System-on-a-Chip Approach to On-Board Encryption ............................... 123 
5.6 Conclusion ....................................................................................................... 127 
6 Conclusions & Future Work ............................................................................... 129 
References ................................................................................................................. 134 
A. Error Correction Using Hamming Codes ........................................................ 145 
B. Fault Propagation in Satellite Data (Non-imaging Data) •••••••••••••.•••••••••••••••••• 148 
c. MixColumns & SubBytes Block Diagrams ...................................................... ISO 
v 
List of Figures 
List of Figures 
Figure 2-1 Block Diagram of Symmetric Key Encryption .......................................... 11 
Figure 2-2 Block Diagram of Asymmetric Key Encryption ....................................... 12 
Figure 2-3 Adding Digital Signature to Data .............................................................. 12 
Figure 2-4 AES Algorithm Flow Chart For Encryption .............................................. 20 
Figure 2-5 S-Box Look Up Table (LUT) .................................................................... 21 
Figure 2-6 MixColumns Transformation .................................................................... 23 
Figure 2-7 AES Key Expansion ................................................................................. 25 
Figure 2-8 Pseudo Code for Key Expansion Algorithm .............................................. 25 
Figure 2-9 Key Expansion Algorithm ......................................................................... 26 
Figure 2-10 Straightforward Decryption ..................................................................... 27 
Figure 2-11 Equivalent Decryption ............................................................................. 28 
Figure 2-12 Block Diagram of the ECB Mode ............................................................ 31 
Figure 2-13 Block Diagram of the CBC Mode ........................................................... 31 
Figure 2-14 Block Diagram of the OFB Mode ............................................................ 32 
Figure 2-15 Block Diagram of the CFB Mode ............................................................ 33 
Figure 2-16 Block Diagram of the CTR Mode ............................................................ 33 
Figure 2-17 Iterative AES Architecture ....................................................................... 36 
Figure 2-18 Pipelining of the AES Algorithm ............................................................. 36 
Figure 2-19 Pipelining & Sub-pipelining of AES ....................................................... 36 
Figure 2-20 A Loop Unrolling AES Architecture ....................................................... 37 
Figure 2-21 Block Diagram of the SubBytes and InvSubBytes Transformations ...... 45 
Figure 3-1 Small Satellites Developed by SSTL. ........................................................ 50 
Figure 3-2 Constellation of Small Satellites (DMC) ................................................... 51 
Figure 3-3 Block Diagram of On-Board Architecture ................................................. 53 
Figure 3-4 DMC Imaging Sensors ............................................................................... 54 
Figure 3-5 Solid State Data Recorders (a) Power PC Based (b) Strong Ann Based .. 55 
Figure 3-6 Block Diagram of Payload Data Handling in DMC Satellite .................... 55 
Figure 3-7 Multi Spectral Unit (MSC) of KOMPSAT -2 ............................................ 58 
vi 
List of Figures 
Figure 3-8 On-Board Encryption Block Diagram Used in METOP-A ....................... 60 
Figure 3-9 Block Diagram of the Proposed On-Board Security Architecture ............. 63 
Figure 3-10 (a) Plain Image (b) Encrypted Image using ECB (c) Encrypted Image 
Using CBC,OFB,CFB & CTR ............................................................................ 65 
Figure 4-1 Structure of Xilinx Virtex 2 FPGA ............................................................ 72 
Figure 4-2 Slice ofVirtex 2 FPGA .............................................................................. 73 
Figure 4-3 Fault Tolerant Approaches Used in SRAM Based FPGA Designs .......... 78 
Figure 4-4 Triple Redundancy Mitigation (a) Triple Modular Redundancy (TMR) (b) 
Triple Device Redundancy (TDR) ...................................................................... 81 
Figure 4-5 FPGA Design Implementation Flow ......................................................... 83 
Figure 4-6 Block Diagram of the AES Encryption Core ............................................. 87 
Figure 4-7 Data Path of Option} AES Encryption Core ............................................. 88 
Figure 4-8 AES Data Path of the Option3 AES Core .................................................. 89 
Figure 4-9 Throughput Vs frequency for AES implementation Optionl, 2&3 ........... 91 
Figure 4-10 Dynamic Power Consumption Vs Frequency for the AES Implementation 
Optionl, 2 & 3 ..................................................................................................... 91 
Figure 4-11 Slice Utilization of the Virtex 2 XC2VIOOO FPGA for AES 
Implementation Options 1,2& 3 ........................................................................... 91 
Figure 4-12 Block Diagram of the Pipelined Implementation of the AES ................. 93 
Figure 4-13 Block Diagram of the Sub-Pipelined implementation of the AES .......... 93 
Figure 4-14 Dynamic Power Consumption V s Frequency for Option 1 on Different 
Family FPGAs .................................................................................................... 97 
Figure 4-15 Total Power Consumption Vs Frequency for Optionl on Different Family 
FPGAs ................................................................................................................. 97 
Figure 4-16 Share of Static Power Consumption in the Total Power of Option 1 AES 
Implementation on a Spatran 3 FPGA (a) 25 MHz (b) 75 MHz ......................... 98 
Figure 5-1 Fault Propagation during Encryption in CBC Mode ............................... 104 
Figure 5-2Transmission Fault Propagation in CBC Mode ........................................ 104 
Figure 5-3 (a) Plain Image (b) Decrypted image with SEU at 20,OOOth Block (c) 
Decrypted Image with SEU at 40,OOOth Block .................................................. 105 
Figure 5-4 Propagation of Transmission Fault in CFB Mode ................................... 106 
Figure 5-5 Flow Chart of Fault Detection in AES ..................................................... 112 
Figure 5-6 Fault Detection and Correction Flow Chart ............................................. 116 
Figure 5-7 JAVA GUI To Simulate AES Encryption ............................................... 118 
vii 
List of Figures 
Figure 5-8 JAVA GUI To Simulate AES Decryption ............................................... 118 
Figure 5-9 JAVA GUI to simulate of fault injection and detection at 'bit' level ....... 119 
Figure 5-1 0 JAVA GUI to simulate of fault injection and detection at 'bit' level ..... 120 
Figure 5-11 Block Diagram of the Fault Tolerant AES Datapath ............................. 122 
Figure 5-12 Generic Architecture of Embedded IP Core-Based SOC ...................... 124 
Figure 5-13 Block Diagram of SOC Based Encryption Approach to DMC Payload 127 
viii 
Glossary of Terms 
List of Tables 
Table 2-1 Security Services, Mechanisms and Algorithms ......................................... 14 
Table 2-2 Characteristics of Popular Symmetric Key Algorithms .............................. 15 
Table 2-3 Round Constant Values ............................................................................... 26 
Table 2-4 Characteristics of the AES Modes .............................................................. 34 
Table 2-5 Implementation Options of the AES Algorithm ......................................... 39 
Table 2-6 Software Implementations of the AES ........................................................ 41 
Table 2-7 ASIC Implementations of the AES ............................................................. 42 
Table 2-8 FPGA Implementations of the AES ............................................................ 43 
Table 3-1 Classification of Satellites ........................................................................... 49 
Table 3-2 Summary of the Use of Encryption in Current Satellite Missions .............. 56 
Table 4-1 Types of SEU Upsets in SRAM Based FPGAs .......................................... 79 
Table 4-2 AES Implementations using Xilinx Virtex 2 Device XC2VI000 (On-line 
Key Expansion) ........................................................ : .......................................... 92 
Table 4-3 The AES Implementations with Pipelining (128-bit Data Path & Off-Line 
Key Expansion) ................................................................................................... 95 
Table 4-4 Logic Utilization of the Pipelined Implementations ................................... 96 
Table 4-5 Different Xilinx Family FPGA Devices Used for the AES Implementation 
............................................................................................................................. 96 
Table 5-1Fault Propagation Due to Single Bit Errors During Encryption and 
Transmission ...................................................................................................... 108 
Table 5-2 Hamming Code Bit Match Table To Locate A Faulty Bit ........................ 117 
Table 5-3 FPGA Implementation of the Fault Tolerant Model with Optionl AES .. 122 
Table 5-4 FPGA Implementation of the Fault Tolerant Model with Option3 AES .. 123 
ix 
Glossary of Terms 
Glossary of Terms 
AES 
AHB 
APB 
API 
ASIC 
AU 
BUF 
CAN 
CBC 
c:CSDS 
CCU 
CFB 
CLB 
CMAC 
CORDIC 
COTS 
CP 
CPU 
CRC 
CTR 
DERA 
DES 
DMC 
DSCU 
DSP 
EO 
Advanced Encryption Standard 
Advanced High perfonnance Bus 
Advanced Peripheral Bus 
Application Programmer Interface 
Application Specific Integrated Circuits 
Antenna Unit 
Buffer 
Control Area Network 
Cipher Block Chaining mode 
Consultative Committee for Space Data Systems 
Channel Coding Unit 
Cipher FeedBack mode 
Configurable Logic Block 
Cipher based Message Authentication Code 
CO-ordinate Rotational DIgital Computer 
Commercial Off The Shelf 
Co-Processor 
Central Processing Unit 
Cyclic Redundancy Check 
CounTeR mode 
Defense Evaluation and Research Agency 
Data Encryption Standard 
Disaster Monitoring Constellation 
Data Storage and Compression Unit 
Digital Signal Processor 
Earth Observation 
x 
ECB 
ECC 
EDAC 
EO 
EPS 
ESA 
EUMETSAT 
FIPS 
FPGA 
FPU 
FIF 
GAO 
GEO 
GRM 
GF 
HDL 
HDLC 
HMAC 
HRPT 
ICV 
IDEA 
IEEE 
ISE 
ITAR 
IV 
KARl 
KHTT 
KOMSAT 
KMC 
LEO 
LET 
LRPT 
Glossary of Terms 
Electronic Code Book mode 
Elliptic Curve Cryptography 
Error Detection And Correction 
Earth Observation 
EUMETSA T's Polar System 
European Space Agency 
European Organisation for the Exploitation of 
Meteorological Satellites 
Federal Information Processing Standard 
Field Programmable Gate Array 
Floating Point Unit 
Flip-flop 
General Accounting Office 
Geo-stationary Earth orbit 
General Routing Matrix 
Galois Field 
Hardware Description Language 
high-level Data link Control 
Hash Message Authentication Code 
High Rate Picture Transmission 
Integrity Check Value 
International Data Encryption Algorithm 
Institute of Electrical and Electronics Engineers 
Integrated Software Environment 
International Traffic in Arms Regulation 
Initial Vector 
Korean Aerospace Research Institute 
Know-How Trasfer and Training 
KOrean Multi-purpose SATellite 
Key Management Centre 
Lower Earth Orbit 
Linear Energy Transfer 
High Rate Picture Transmission 
xi 
LU 
LUT 
MD 
MetOP 
M2M 
MSC 
NASA 
NIST 
NOAA 
NSA 
OBC 
OBDH 
OFB 
ONO 
OTP 
PKI 
PGP 
PNK 
PP 
PSK 
RAM 
RSA 
RTL 
SAR 
SEE 
SEL 
SEU 
SEFI 
SHA 
SP 
SRAM 
SSC 
SSDR 
Glossary of Terms 
Loop Unrolling 
Look-Up Table 
Message Digest 
Meteorological Operational 
Metal to Metal 
Multi Spectral Camera 
National Aeronautics and Space Administration 
National Institute of Standards and Technology 
National Oceanic and Atmospheric Administration 
National Security Agency 
On-Board Computer 
On-Board Data Handling 
Output FeedBack mode 
Oxide Nitride Oxide 
One Time Programmable 
Public Key Infrastructure 
Pretty Good Privacy 
Pseudo Random Keys 
Pipelining 
Public Satellite Keys 
Random Access Memory 
Rivest Shamir Adleman 
Register Transfer Level 
Synthetic Aperture Radar 
Single Event Effect 
Single Event Latchup 
Single Event Upset 
Single Even Functional Interrupt 
Secure Hash Algorithms 
Sub Pipelining 
Static Random Access Memory 
Surrey Space Centre 
Solid State Data Recorders 
xii 
SSL 
SSR 
SSTL 
STRV 
TDES (3DES) 
TDR 
TID 
TMR 
VCDU 
VHDL 
VHSIC 
VLSI 
XTMR 
Glossary of Terms 
Secure Socket Layer 
Solid State Recorders 
Surrey Satellite Technologies Ltd 
Space Technology Research Vehicles 
Triple Data Encryption Standard 
Triple Device Redundancy 
Total Ionizing Dose 
Triple Modular Redundancy 
Virtual Channel Data Unit 
VHSIC Hardware Description Language 
Very High Speed Integrated Circuit 
Very Large Scale Integration 
Xilinx Triple Modular Redundancy 
xiii 
List of Symbols 
PriA 
PubA 
S-Box 
T-Box2 
T-Box3 
SRD 
PRO 
P2RO 
P3RO 
hRO 
h2RO 
h3RO 
m(x) 
L 
{a} 
* 
J.1m 
Hz 
MHz 
kbps 
Mbps 
Gbps 
kg 
W 
mW 
List of Symbols 
Bitwise Exclusive OR 
Multiplication in Galois Filed GF(2 8) 
Private key of' A' 
Public key of' A' 
SubBytes LUT 
Galois filed multiplication of S-Box LUT elements by 2 
Galois filed multiplication ofS-Box LUT elements by 3 
S-Box LUT 
Parity bits ofS-Box 
Parity bits ofT-Box2 
Parity bits ofT-Box3 
Hamming code bits of S-Box 
Hamming code bits ofT-Box2 
Hamming code bits ofT-Box3 
Irreducible polynomial used in AES algorithm 
Summation 
Representation of byte 'a' in hex 
Representation of a fault 
Micrometer 
Hertz 
Mega Hertz 
Kilo bits per second 
Mega bits per second 
Giga bits per second 
kilo gram 
Watts 
Milli Watts 
xiv 
J 
mJ 
f 
ms 
rad 
Joules 
Milli Joules 
Frequency of operation 
Maximum frequency of operation 
Milli second 
Radiation absorbed dose 
List of Symbols 
xv 
Chapter i.Introduction 
Chapter 1 
1 Introduction 
1.0 Motivation 
The history of cryptography stretches from the times of ancient Egypt to today and its 
importance is increasing day by day [1]. In recent years, with the explosive 
advancement of computers and the Internet, the dependence of both organizations and 
individuals on the security of the infonnation stored and communicated using these 
systems has increased [2,3]. Security in military satellites is mandatory, and classified 
security products are used to protect the transmitted infonnation. Security in 
commercial satellites has, however, been overlooked for various reasons such as 
limited computational resources, and partly due to the impression that satellites are 
very far and out of reach to hackers [4]. Presently, satellite manufacturers are realizing 
the importance of security in satellites and the demand for security services in 
satellites is increasing steadily [5, 6, 7]. 
Recent intentional hack attacks have proved that intrusion into satellite data is not an 
impossible task. A team at the Embry Riddle Aeronautical University managed to 
obtain National Oceanic and Atmospheric Administration (NOAA) satellite imagery 
with basic apparatus built as part of an experimental project and by using open 
sources available from the Internet [8]. Similarly, researchers from a Japanese 
University were able to access data from National Aeronautics and Space 
Administration's (NASA) Earth observation satellite LandSat as it flew over Japan 
[9]. Furthermore, the idea behind NASA's concept of a Space Internet is that satellite 
users and scientists will directly access the satellite just like any other computer over 
the Internet to get the required information [10, 11, 23]. Allowing direct access to 
1 
Chapter i.Introduction 
spacecraft certainly gives flexibility, but at the cost of threats such as unauthorized 
access and illegal use of valuable data. In order to prevent such problems, adequate 
security services are absolutely necessary. 
Satellites are broadly classified into large and small satellites according to their mass. 
Satellites weighing more than 500 kg are classified as large satellites and less than 
500 kg as small satellites [12]. Small satellites are cheaper, less complex, require less 
maintenance and also take less amount of time to build compared to traditional large 
satellites. The demand for them is increasing more and more in recent years as they 
are affordable by large number of nations across the world. Small satellites can 
provide platforms for carrying out successful civilian and military missions. The 
targeted missions of small satellites are science, Earth Observation (EO), commercial 
telecommunications, military, technical demonstration and education. Remote sensing 
or EO satellites observe the Earth by taking images with smart imaging sensors 
(cameras) on-board to be used in monitoring the environment, disasters, vegetation, 
map marking, urban planning etc. The demand for small EO satellites is growing [13]. 
A network of small satellites in Low Earth Orbit (LEO) can provide an effective low-
cost platform for remote sensing of various phenomena on Earth. EO satellites used 
for disaster monitoring and mitigation applications, usually require effective, real-time 
monitoring in order to be able to react quickly to mitigate the effects of such disasters. 
Better performance and wide range of services can be achieved by using a network or 
constellation oflow cost EO small satellites [12,13,14]. 
Recent unauthorized intrusions into EO satellite data have raised the importance of 
using security services on board. Encryption, by far the most widely adopted security 
service in terrestrial networks, is used to protect data from unauthorized users [2, 3]. 
More and more EO satellites are equipped with on-board encryption to protect the 
data transmitted to the ground station [15,16,17,18]. However, the encryption 
algorithms used in present satellite missions are typically proprietary or outdated 
algorithms like the Data Encryption Standard (DES) rather than algorithms based on 
the latest encryption standards [11]. 
2 
Chapter J . Introduction 
The Rijndae1 algorithm approved as the Advanced Encryption Standard (AES) by the 
US National Institute of Standards and Technology (NIST) is being adopted by many 
organizations across the world [20,21]. AES is used across a wide range of platforms 
ranging from smart cards to big servers because of its simplicity, flexibility, easiness 
of implementation and high throughput. Therefore, the AES is well suited to resource-
constrained platforms like satellites [11,19]. 
In order to meet the requirement for high data rate processing demanded by present 
EO satellites, hardware implementation is considered to be the preferred choice in 
satellites imaging payloads [12,13]. Advantages of Field Programmable Gate Arrays 
(FPGAs) such as flexibility of design, shorter time-to-market, lower cost, remote 
configurability etc., make them very suitable for use in small satellite on-board 
systems [22]. The effect of various optimization techniques on throughput and device 
area has been thoroughly investigated in present FPGA implementations. But for 
satellite on-board use, in addition to throughput and area, power analysis is vital as 
small satellites are energy constrained [13]. 
In addition to the above design characteristics, fault tolerance is very important in 
satellite applications [26,27]. Satellites operate in a harsh radiation environment and 
therefore any electronic systems used on-board, such as processors, memories etc., are 
very susceptible to faults induced by radiation [24,25]. There is no exception for an 
encryption processor used on-board, which should be robust enough to faults in order 
to avoid transmission of corrupted data to ground. Faults must be detected and 
corrected on-board before sending the data to ground to avoid. redundant transmission 
and use of erroneous data. Also, if faulty data is transmitted to the ground station, the 
user's request for data re-transmission has to wait until the next satellite revisit period, 
with revisit times varying from a couple of hours to weeks. Most of the faults that 
occur in satellite on-board electronic devices are radiation induced single bit flips 
called single event upsets (SEU) [28]. SEUs can corrupt the data during on-board 
encryption and hence should be mitigated. 
3 
Chapter l.lntroduction 
1.1 Objectives of the Thesis 
Only very few EO satellites are-equipped with on-board security services, in particular 
only encryption services are used to protect the data transmitted to the ground station. 
Security services such as authentication and data integrity, which are required for the 
overall protection of satellite data, are not addressed at present [11]. In order to secure 
the communication between the satellite and the ground station, both the uplink and 
the downlink need to be protected. In addition, similar to secure terrestrial 
architectures, all security services like authentication, integrity and encryption should 
be used for complete protection of the satellite communication links [4,5]. Hence the 
initial objective of this research is to identify the security services required to protect 
the EO satellite links and present with a security block diagram. 
Encryption algorithms used in present satellite missions are typically proprietary 
algorithms or outdated algorithms like DES, rather than using the latest encryption 
standards [11]. The Rijndael algorithm approved as the AES by the NIST in October 
2000 is being adopted by many organizations across the world. One of the main 
objectives of this research is to investigate the suitability of the AES, in terms of 
speed, area and power consumption, for satellite on-board use and present with an 
optimal implementation. 
The space environment is significantly different from the terrestrial environment. The 
lack of atmospheric protection increases the incident radiation, which can produce 
soft and hard circuit faults [28]. When an FPGA is used in space, the effects of 
radiation must be considered and accounted for [25]. Hence the investigation of the 
robustness of AES algorithm against radiation induced faults is the primary objective 
of this research. 
1.2 Novelty of the Research Work 
The following novel contributions have been made to meet the above objectives 
• 
• This research have identified the necessary security services required to protect the 
satellite links and presented the security architecture for small EO satellites. 
4 
Chapter l.Introduction 
• Suitability of the AES algorithm for satellite on-board use has been investigated. 
Novel design space exploration of the AES has been carried out in order to identify 
the optimal implementation for on-board use based on FPGAs. Design parameters 
such as throughput, area, power and energy have been considered in the exploration 
process. 
• Satellites operate in a harsh radiation environment and therefore the AES 
encryption processor used on-board should be robust enough to faults in order to 
avoid transmission of corrupted data to ground. Hence the other dimension of 
exploration is to check the robustness of the AES algorithm against radiation 
induced faults. In order to analyse this, a novel study of fault propagation in 
encrypted satellite images using the AES has been carried out. 
• In order to minimise the damage caused to the data due to radiation induced SEUs 
and hence to avoid redundant transmission and use of erroneous data, a novel fault 
tolerant model for the AES algorithm based on the Hamming error detection and 
correction codes is presented. 
• Both software (using Java) and hardware (FPGA based) implementations of the 
proposed model are also developed to validate and to measure the power, area & 
throughput overhead of the proposed model. 
1.3 Structure of the Thesis 
Chapter 2 of this thesis introduces various cryptographic security services such as 
confidentiality, authentication and integrity and security mechanisms to provide these 
services such as encryption, digital signatures, and integrity check values. This 
chapter concentrates on encryption, in particular symmetric key encryption, the most 
widely adopted security service to provide confidentiality. The basic principles and 
brief history of symmetric key algorithms are discussed and the AES, the latest 
symmetric key encryption algorithm is introduced. The transformations used for 
encryption and decryption are also discussed in greater detail. AES is a block cipher, 
which encrypts one block of data at a time. To encrypt more than one block modes of 
operation have been defined by NIST. The most popular modes ECB, CBC, OFB, 
CFB and CTR are discussed and compared. An elaborate survey of the AES 
implementations on various platforms is carried out and documented at the end of the 
chapter. 
5 
Chapter 1. Introduction 
Chapter 3 addresses the security needs of small EO satellites. This chapter starts with 
a brief introduction to the small satellite platform and on-board architecture block 
diagram. A detailed survey of on-board security measurements used in existing and 
planned satellites is presented. Then this chapter discusses generic requirements of 
on-board security measurements for EO satellites and presents on-board security 
architecture for small satellites. At the end of this chapter, satellite image encryption 
using the AES algorithm is discussed. 
Chapter 4 discuses the suitability of the AES algorithm for on-board use in terms of 
high processing speed, low area, power and energy consumption. It discusses a 
suitable platform and technology for the implementation of the AES for on-board use. 
This chapter addresses the effect of various AES algorithmic optimization techniques 
on the throughput, device area and power of SRAM-based FPGA implementations 
targeting the space application domain. Architectural optimizations such as pipelining 
and sub-pipelining are also introduced in the AES implementations and design 
parameters are presented and compared. 
Chapter 5 describes the impact of radiation faults during on-board encryption caused 
by SEUs and faults during transmission caused by noise. Also the impact of 
transmission faults and SEUs are discussed for each of the five modes, ECB, CBC, 
CFB, OFB and CTR. And finally a novel fault tolerant model for the AES algorithm 
based on the Hamming error detection and correction codes is presented. FPGA 
implementation of the proposed model is presented in this chapter. 
General conclusions drawn from the previous chapters, together with a summary of 
the original contributions are presented in Chapter 6. Future work, including possible 
extensions on the work presented in this thesis is described as well in the same 
chapter. In Appendices, some related information about the previous chapters is 
provided. 
6 
Chapter l.Introduction 
1.4 Publications 
The results of the thesis are published in a journal paper and 7 conference papers as 
listed below: 
Journal Papers 
1. R.Banu and T.Vladimirova, "Fault-Tolerant Encryption for Space Applications", 
IEEE Transactions on Aerospace & Electronic Systems (TAES), Accepted for 
publication on the 24th July 2007. 
Conference Papers 
1. R.Banu and T.Vladimirova, "Investigation of Fault Propagation in Encryption of 
Satellite Images Using the AES Algorithm", Proceedings of 25th IEEE Military 
Communications Conference (MILCOM 2006), 23-25 October 2006, Washington 
D.C., USA, Pages 1 - 6. 
2. R.Banu and T.Vladimirova, "On-Board Encryption in Earth Observation Small 
Satellites", Proceedings of 40th IEEE International Carnahan Conference on 
Security Technology (lCCST 2006), 16-19 October 2006, Kentucky, USA, Pages 
203 - 208. 
3. T.Vladimirova and R.Banu, "Security Services on Board Satellites" Proceedings 
of ECSIS Symposium on Intelligent Systems for Defence and Security (ISDS), 
September 2006, Iasi, Romania 
4. R.Banu and T.Vladimirova, "Encryption of Multispectral Satellite Images with 
the AES Algorithm", Proceedings of the 9th Military and Aerospace Applications 
of Programmable Logic Devices and Technologies International Conference 
(MAPLD 2006), P-I010, 26-28 September 2006, Washington DC, US, NASA. 
5. T. Vladimirova, R. Banu and M. N. Sweeting. "On-Board Encryption in 
Satellites", Proceedings of the 8th Military and Aerospace Applications of 
Programmable Logic Devices and Technologies International Conference 
(MAPLD 2005), F-184, 7-9 September 2005, Washington DC, US, NASA. 
7 
Chapter J . Introduction 
6. R.Banu and T.Vladimirova, "Addressing the Need for On-Board Encryption in 
Small Satellites", Proceedings of the 6th Postgraduate Research Conference in 
Electronics, Photonics, Communications & Networks and Computing Science 
(PREP 2005), 2005, University of Lancaster, Lancaster, UK. 
7. R.Banu and T.Vladimirova, "Floating-Point Unit and Mathematical Co-Processor 
for a Single-Chip On-Board Computer", Proceedings of the 5th Postgraduate 
Research Conference in Electronics, Photonics, Communications & Networks and 
Computing Science (PREP 2004), 2004, University of Hertfordshire, Hatfield, UK 
Papers under review 
Another paper titled "FPGA Implementation of the AES Algorithm for Satellite On-
Board Use" is submitted to Journal of Microelectronics, Elsevier on the 11th May 
2007. This paper is under review. 
8 
Chapter 2. Encryption 
Chapter 2 
2 Encryption: Introduction & Algorithms 
2.0 Introduction 
Cryptography, the science of keeping infonnation secure, is used for many centuries 
to protect infonnation from being accessed or used by unauthorized people. The 
history of cryptography stretches from the times of ancient Egypt to today and its 
importance is increasing day by day [1]. People are interested in protecting their 
infonnation for different reasons. The ancient Chinese used the ideographic nature of 
their character-based language to hide the trade secrets of silk manufacturing. While 
Germans used Enigma machine during Second World War to protect their military 
secrets from the enemies [3]. In recent years, with the explosive advancement of 
computers, Internet and interconnectivity the dependence of both organizations and 
individuals on the infonnation stored and communicated using these systems has 
increased. This, in turn, has led to a heightened awareness of the need to secure data 
and resources from hacking and intrusion. Many lessons were learnt with the 
ignorance of security measures over Internet [2, 29]. Now cryptography has become 
mandatory and it is considered as a basic building block for the security of any 
computer system or network. 
Before the revolution of computers and Internet, cryptography is mostly concerned 
about keeping the infonnation confidential by using secret codes [1]. But in the 
present infonnation technology era, in addition to confidentiality, other cryptographic 
security services such as authentication, authorization, access control and integrity are 
quite common to provide security at different abstraction levels [2,3]. 
In this chapter, first the brief introduction of various cryptographic security services 
such as confidentiality, authentication and integrity and security mechanisms to 
9 
Chapter 2. Encryption 
provide these services such as encryption, digital signatures, and integrity check 
values have been presented (section 2.1). The rest of the chapter concentrates on 
encryption, in particular symmetric key encryption, the most widely adopted security 
service to provide confidentiality. Section 2.2 discusses the basic principles and brief 
history of symmetric key algorithms and introduces the AES, the latest encryption 
algorithm endorsed by NIST. Section 2.3 and 2.4 discusses, in greater detail, the 
transformations used for encryption and decryption respectively. AES is a block 
cipher, which encrypts one block of data at a time. To encrypt more than one block 
modes of operation have been defined by NIST. Section 2.5 describes and compares 
the most popular modes ECB, CBC, OFB, CFB and CTR. An elaborate survey of the 
AES implementations on various platforms has been carried out and documented in 
Section 2.7. Section 2.8 concludes the chapter. 
2.1 Introduction to Security Services 
A number of security services, such as confidentiality, integrity, authentication, non-
repudiation, access control etc. are included in today's terrestrial security architectures 
to provide various security measures at different abstraction levels. These security 
services are implemented using different security mechanisms such as encryption, 
hash functions, digital signatures etc [2,29,33]. A brief description of few important 
security services and security mechanisms is given below. 
2.1.1 Confidentiality 
Confidentiality, the most popular security service, is used to keep the contents of 
information accessible to only those authorized to have it. The security mechanism 
that provides confidentiality service is known as encryption. Encryption is performed 
on plain data to produce cipher data. The reverse process is known as decryption. An 
encryption algorithm or cipher is used to achieve confidentiality. A key is used during 
the encryption and decryption process. Encryption algorithms may be symmetric or 
asymmetric [30,31,32]. 
10 
Chapter 2. Encryption 
Symmetric key cryptography uses the same key (K) for both encryption and 
decryption as shown in Figure 2-1[2]. The sender encrypts the plain data with key 'K' 
and sends to the receiver through unsecured channel. The receiver decrypts the data, 
again with key 'K', into its original fonn. The key should be kept secret and is shared 
by secure channel by both the sender and the receiver. 
Sender Reciever 
Plain 
Plain Data 
. Encryption Cipher Data 
• 
Decryption Data 
--
~ Algorithm .- Algorithm (Unsecured Channel) 
~~ j~Key (K) Key (K) 
. . 
. . 
.................................................... 
K (Secured Channel) 
Figure 1·1 Block Diagram of Symmetric Key Encryption 
Another class of algorithms uses a key pair, one key for encryption and the other one 
for decryption. Either of the keys in a key pair can be used for encryption and the 
other for decryption. These algorithms are called asymmetric key or public key 
algorithms. The encryption key, also known as public key, can be made public for 
anyone to do the encryption but only the owner of the decryption key, also known as 
private key, can decrypt and read the message or vice versa. The asymmetric key 
encryption shown in Figure 2-2 [2], uses key pair Kl (public key) and K2 (private 
key). Public key Kl can be made public and can be shared by many users through 
unsecured channel. Given a key pair, it is computationally, or otherwise, difficult to 
derive one key from the other, the difficulty depending on the size of the ke~. Hence 
the key size of the public key cryptography is higher than the symmetric key 
cryptography. This ensures that, in practice, the private key cannot be deduced from 
the public key. 
11 
Chapter 2. Encryption 
Sender Reciever 
Plain 
Plain Data Encryption Cipher Data Decryption Data .. 
- Algorithm - Algorithm -(Unsecured Channel) 
Public Key~ ~ ~ l Private Key 
(KI) (K2) 
Figure 2-2 Block Diagram of Asymmetric Key Encryption 
The asymmetric key algorithms are slower than symmetric key algorithms as they use 
large key sizes and complex mathematical functions for encryption and decryption. 
For instance RSA (Rivest, Shamir and Adleman) public key algorithm uses l024-bit key 
and uses modular exponentiation and multiplication of larger prime numbers [2]. Public key 
algorithms are mainly used for authentication, key exchange, digital certificates and 
digital signatures. The symmetric key algorithms are fast as they use small key size. 
These are used for high-speed bulk data encryption. There are wide varieties of 
algorithms available for symmetric key encryption. Section 2.2 will discuss principles of 
symmetric key cryptography and describes few popular symmetric key algorithms. 
2.1.2 Authentication 
Authentication provides the ability to verify the identity of a user or entity in a 
system. Authentication provides the assurance that information transmitted from a 
claimed source actually came from that source [32,33]. This·service is also known as 
data origin authentication and data integrity. Data authentication is usually achieved 
by appending an extra unit of infonnation to the original message. This extra unit of 
infonnation is called the digital signature and is shown in Figure 2-3 [2]. The digital 
signature identifies the origin of the data, and the receiver of the data is thus assured 
that the data is from the claimed source. The essential characteristic of the digital 
signature mechanism is that the signed data unit cannot be created by an unauthorized 
entity. 
Original Data Digital Signature 
Figure 2-3 Adding Digital Signature to Data 
12 
Chapter 2. Encryption 
Many digital signature generation mechanisms require the use of an asymmetric 
cryptographic algorithm where sender and receiver do not hold the same 
cryptographic keys (as described in section 2.1.1). Rather, a pair of public and private 
keys that are mathematically related to one another are used. At the origin of the data, 
the cryptographic algorithm generates a digital signature using the sender's private 
key. The signature may be generated from the data itself and is of a specific length 
depending on the algorithm used. Data origin authentication is achieved when the 
digital signature is successfully verified by the receiver using the sender's public key. 
Encryption of the data itself can also provide implicit authentication when using a 
symmetric cryptographic algorithm. Authentication is achieved because the recipient 
must have and use the correct key to decipher the digital signature appended to the 
data. This assumes there is an assured key distribution mechanism. Also, encryption 
provides implicit authentication when using a public key system. 
2.1.3 Integrity 
An integrity service is used to ensure that unauthorized users have not manipulated 
the data in any way. Data integrity provides assurance that data transmitted from a 
source is unchanged by detecting if it has not been accidentally or maliciously 
modified, altered, or destroyed [32,33]. 
Integrity of data is achieved by appending an Integrity Check Value (ICV) to the data 
structure in a manner similar to the way a digital signature is appended. However, the 
ICV is always a function of the data itself. A Cyclic Redundancy Check (CRC) is a 
simple example of such a function~ Stronger functions include Message Digest 5 
(MDS) and the Secure Hash Algorithms (SHA-I, SHA-2). The receiver generates a 
corresponding check value by perfonning an operation (which may be cryptographic) 
on the data and compares the result to a received value to detennine if the data has 
been modified in transit. Cryptographic functions such as keyed-Hash Message 
Authentication Code (HMAC) or Cipher-based MAC (CMAC) are used to achieve 
both authentication and integrity of the data simultaneously. Using HMAC, 
authentication code is generated using a cryptographic hash value in combination with 
a secret key. Hash function is used for integrity check whereas the use of secret key 
13 
Chapter 2. Encryption 
provides authentication. And hence both authentication and integrity can be 
simultaneously verified. More details on authentication and integrity can be found at 
[2,3]. 
Other popular security services include non-repudiation, which prevents both the 
sender and the receiver of a transmission from denying previous commitments or 
actions, and access control, which limits and controls the access to information only to 
authorized people. More detailed description of popular security services, 
mechanisms, algorithms and their features can be found in [2,11]. Security 
mechanisms make use of different cryptography algorithms to provide different 
security services, some of which are listed in Table 2-1. 
Table 2-1 Security Services, Mechanisms and Algorithms 
Security Service Security Mechanism AIRorithms 
Symmetric and Asymmetric Key DES, 3-DES, IDEA, AES, RSA, 
Confidentiality Encryption Algorithms ECC 
Authentication MAC and Digital Signatures MDS, SHA-l, KEBROS, DSA 
Hash Functions, Digital 
Integrity Signatures, Checksum Function RSA, DSA, ECC 
For secure terrestrial communication, well-defined security policies and 
infrastructures like X.800, Public Key Infrastructure (PKI), and Pretty Good Privacy 
(PGP) etc are available for the implementation of security services using the security 
mechanisms and algorithms listed in Table 2-1. 
The rest of the chapter concentrates on symmetric key encryption, which is widely 
adopted to provide confidentiality. 
2.2 Introduction to Symmetric Key Encryption 
As discussed above, symmetric key encryption uses the same key for both encryption 
and decryption as shown in Figure 2-1. The symmetric key algorithms use small key 
size compared to public or asymmetric key encryption. Symmetric key encryption 
algorithms are used for bulk data encryption, as public key encryption algorithms 
14 
Chapter 2. Encryption 
require a lot of computational resources. The following section gives a quick insight 
into the principles used in the design of these symmetric ciphers. 
2.2.1 Principles of Symmetric Key Algorithms 
Most of the encryption algorithms are based on the combination of following general 
principles [2]. Theyare-
o Substitution, in which each element in the plaintext is mapped into another 
element. 
o Transposition (diffusion), in which elements in the plaintext are rearranged 
by means of shifts and rotate. 
o XOR (exclusive OR), in which elements in the plaintext are manipulated 
according to the truth table ofXOR. 
Table 1-1 Characteristics of Popular Symmetric Key Algorithms 
Encryption Transformations! Key Length Comments Algorithms Mathematics Involved (bits) 
1. Initial Pennutation 
2. Expansion DES is easily Pennutation Data Encryption 3. S-Box breakable because of Standard (DES) Substitution 56 short key length. 
4. Final Pennutation 
5. Key Generation 
AES is the latest 
Advanced 1. AddRoundKey 128 encryption algorithm 
Encryption 2. SubBytes (Supports 192, suitable for variety of 3. ShiftRows platforms ranging Standard (AES) 4. MixColumns 256 bits) from smart cards to 
big servers. 
Most systems, referred to as product systems, involve multiple stages of substitutions, 
transpositions and XOR transforms. Table 2-2 summarises the various substitution, 
transposition, and XOR transformations involved in popular symmetric ciphers. 
Section 2.2.2 will discuss popular symmetric key algorithms in brief. 
IS 
Chapter 2. Encryption 
2.2.2 Brief History of Symmetric Key Algorithms 
Symmetric key encryption, also referred as conventional encryption or single key 
encryption, was the only type of encryption in use prior to the development of 
asymmetric key encryption. It remains by far the most widely used of the two types of 
encryption schemes. Symmetric key encryption is in use from Romans period to till 
today [1]. 
DES is the most widely used symmetric key encryption algorithm since 1977. 
However, with the advancement in modern technology, it has now become 
increasingly feasible to break a DES-encrypted cipher data [2]. 
As a result, the Triple DES [2,3] algorithm emerged, as the name implies, encrypts a 
given plaintext by applying DES algorithm three times. If EK(I) and DK(I) represent 
the encryption and decryption of I using DES-key K respectively, then Triple-DES 
encryption is given by EK3(DK2(EK1(1») where KI, K2, and K3 are three keys. The 
decryption ofI using Triple-DES is given by DKI (EK2 (DK3 (I»). 
But in 1997, NIST officials re-energized cryptography by holding a global 
competition and inviting cryptographers to submit their best encryption algorithms 
[2,19,20,21]. From those submissions, NIST selected a fast and tough-to-break 
Rijndael algorithm, submitted by two Belgians researchers: Dr. Vincent Rijmen Dr. 
Joan Daemen, as the winner and referred it as AES. The AES is expected to replace 
Triple-DES eventually because of its strong cryptographic features and larger key 
sizes. Section 2.3 will discuss the AES in greater detail. 
2.2.3 Introduction to the AES Algorithm 
In January 1997, the US NIST announced the start of an initiative to develop a new 
encryption standard: the AES. The new encryption standard was to become a Federal 
Information Processing Standard (FIPS), replacing the old DES and triple-DES. NIST 
invited the proposals for the new encryption standard from researchers, organisations 
across the world. In September 1997, the final request for candidate nominations for 
the AES was published. NIST declared that it was looking for a block cipher as secure 
as triple-DES, but much more efficient [19,20,21,35]. 
16 
Chapter 2. Encryption 
There were 15 AES candidate algorithms that were accepted for consideration for the 
first evaluation round. The names of the candidate algorithms are CAST -256, 
Crypton, DEAL, DFC, E2, Frog, HPC, LOKI97, Magenta, MARS, RC6, Rijndael, 
SAFER+, Serpent and Twofish. All these candidate algorithms were presented at The 
First Advanced Encryption Standard Candidate conference, held in Ventura, 
California, on 20-22 August 1998. This was the official start of the first evaluation 
round, during which the international cryptographic community was asked to mount 
attacks and try different cryptanalysis on different candidates and also to evaluate the 
implementation cost. In March 1999, the second AES conference was held in Rome, 
Italy. The papers presented at the conference ranged from crypto-attacks, cipher cross-
analysis, smart card related papers and candidate algorithms cost evaluation. After the 
second conference, NIST announced the five finalists in August 1999. The finalists 
were MARS, RC6, Rijndael, Serpent and Twofish. 
After the announcement of five candidates NIST made another open call for 
contributions focused on the finalists. A third conference was held in New York City 
in April 2000 to discuss intellectual property issues and performance and chip area in 
dedicated hardware implementations. On 2nd October, 2000, NIST officially 
announced that Rijndael would become the AES. 
The report by NIST [19] that justifies the choice of Rijndael as the Advanced 
Encryption Standard states the following advantages of AES: 
"Rijndael appears to be consistently a very good performer in both hardware and 
software across a wide range of computing environments regardless of its use in 
feedback or non-feedback modes. Its key setup time is excellent, and key agility is 
good. Rijndael's very low memory requirements make it very well suited for 
restricted space environments, in which it also demonstrates excellent performance. 
Rijndael is very robust to power and timing attacks." 
17 
Chapter 2. Encryption 
2.2.3.1 Differences Between Rijndael and AES 
Rijndael algorithm is a block cipher that became the AES in year 2000. A block 
cipher is a function which maps n-bit plain data blocks to n-bit cipher data blocks; n is 
called the block length. The function is parameterized by a key. 
The difference between Rijndael and the AES is the range of supported values for the 
block length and cipher key length. Rijndael is a block cipher with both a variable 
block length and a variable key length. The block and key length can e independently 
specified to any multiple of 32 bits, with a minimum of 128 bits and a maximum of 
256 bits. It would be possible to define version of Rijndael with a higher block length 
or key length. The AES fixes the block length to 128 bits, and supports key lengths of 
128, 192 or 256 bits only. The extra block and key lengths in Rijndael were not 
evaluated in the AES selection process, and consequently they are not adopted in the 
current FIPS standard [19,20,21]. 
2.2.3.2 Mathematics Involved in the Design of the Rijndael Algorithm 
The design of the Rijndael algorithm relies on properties of finite fields, one of the 
elements of modem or abstract algebra. A finite field is a field with a finite number of 
elements. The number of elements in the field is called the order of the field. A finite 
field of order pn is generally written as GF (pn); GF stands for Galois Field. P is called 
the characteristic of the finite field [2,33]. All fields used in the description of 
Rijndael have a characteristic of 2 with n = 8. Thus basic operations of AES are 
defined over elements of the field GF (28). 
Finite fields GF (2 8) can be represented in several ways. The specification of Rijndael 
has adopted the polynomial representation of bytes with coefficients over the field GF 
(2). A polynomial representation of byte b (x) with coefficient over the field GF (2) is 
represented as follows: 
(1-1) 
18 
Chapter 2. Encryption 
And the binary representation of this polynomial is as follows: 
(2-2) 
For example a byte Cl in hexadecimal can be represented in binary form as 1100 
0001 and in polynomial form as x7 + x 6 + 1. 
The addition of two polynomial bytes in GF is defined as addition of the 
corresponding polynomials. In case of polynomials over GF (2) addition is just a 
XOR operation. The bitwise XOR addition is represented as EB . 
For byte multiplication the following irreducible polynomial is used in the description 
of AES. 
(2-3) 
Multiplication in Galois field is represented as ® . The multiplication of two 
polynomials a (x) and b (x) is defined as the algebraic product of the polynomials 
modulo the irreducible polynomial m (x). 
c(x) = a(x) b(x) = a(x)b(x) mod m(x) (2-4) 
2.3 Encryption Using the AES Algorithm 
AES is a symmetric key algorithm, in which both the sender and the receiver use a 
single key for encryption and decryption. For encryption the input is a plain data 
block and a key, and the output is a cipher data block. For decryption, the input is a 
cipher data block and a key, and the output is a plain data block. It is an iterative 
algorithm and each iteration is called a round. The nUmber of rounds is denoted by Nr 
and depends on block length and key length. For 128-bit block length of data, the total 
number of rounds (Nr) is 10, 12, or 14 when the key length is 128,192 or 256 bits, 
, 
respectively. Each round in AES except the final round consists of four 
transformations: SubBytes, ShiftRows, MixColumns and AddRoundKey. The final 
round does not have the MixColumns transformation as shown in Figure 2-4 [2]. The 
19 
Chapter 2. Encryption 
decryption flow is simply the reverse of the encryption, and each operation is the 
inverse of the corresponding one in encryption [2,19,20,33]. 
The round transformation of AES and its steps operate on some intermediate results, 
called state. The state can be visualized as a rectangular matrix with four rows. The 
number of columns in the state is denoted by Nb and is equal to the block length in 
bits divided by 32. For a 128-bit data block (16 bytes) the value ofNb is 4, hence the 
state is treated as a 4 x 4 matrix and each element in the matrix represents a byte. For 
the sake of simplicity, in the rest of the chapter both, the data block and the key 
lengths are considered as 128-bit long. However all the discussions and the results 
hold true for 192-bit and 256-bit keys as well. 
Plaintext Key 
... 
AddRoundKey K(O) 
.. 
SubBytes 
ShiftRows 
MixCoulmns Key Expansion 
Add Round Key ~ & Key Register 
~ 
SubBytes 
ShiftRows 
MixCoulmns 
Add RoundKey -
- K(N,-1) 
+ 
SubBytes 
ShiftRows 
AddRoundKey 
K(N,) 
~ 
Ciphertext 
Figure 2-4 AES Algorithm Flow Chart For Encryption 
2.3.1 Encryption of Round Transformations 
For a block of 128 bits, the input is grouped into 16 bytes and arranged into a 4x4 
matrix called a state matrix [2,19]. In 2-5, input state matrix [ay] represents four 
20 
Chapter 2. Encryption 
columns and four rows of the state matrix, where 0 ~ i < 4, and 0 ~ j < 4 for I 28-bit 
data. 
a oo a OI a 02 a 03 
a lo all a l2 a 13 (2-5) 
a 20 a 21 a 22 a 23 
a 30 a 31 a 32 a 33 
2.3.1.1 SubBytes Transformation 
This is the non-linear transfonnation of the algorithm. Thi transfonnation is carried 
out using the S-Box look-up table (LUT) [2,19] . AES defines a 16 X 16 matrix of 
byte values, called an S-Box look-up table that contains a pennutation of all possible 
256 8-bit values [2,19]. Each individual byte of state matrix is mapped into a new byte 
in the following way: The leftmost 4 bits of the byte are u ed a a row value and the 
right most 4 bits are used as a column value. These row and column values serve as 
indexes into the S-Box to select a unique 8-bit output value. 
Rightmost four 
bits of state 
byte a -t {xy} 
x 
.. 
Leftmost four bits of 
state byte a -t {xy} 
.,Y 
• -. '-
c-
,-
Figure 2-5 S-Box Look Up Table (LUT) 
'b' is the output byte 
the S-Box for 
nput byte a. 
from 
i 
b = S-Box (a) 
In Figure 2-5, leftmost four bits of a byte are denoted by y and the right most four bits 
by x. Each byte in the state matrix is substituted with another byte by looking for the 
entry in the x-row and the y-column of the LUT as shown in Figure 2-5 [2,19]. 
21 
Chapter 2. Encryption 
The input state matrix [aij] , is transformed into a new matrix [bij] using S-Box as 
shown in (2-2). Each individual byte of input state matrix aij , is mapped into a new 
byte, bij , using the S-Box i.e. b ij = S-Box (a i). 
hoo hOI h 02 h 03 S - Box (aoo ) S - Box (aol) S - Box (a 02 ) S - Box (a03 ) 
hlO hll hl2 hl3 S- Box (a lo) S - Box (all) S- Box (a I2 ) S - Box (a l ) 
= 
h 20 h 21 h 22 h 23 S - Box (a 20 ) S - Box (a 21) S - Box (a 22 ) S- Box (a 23 ) 
h 30 h31 h 32 h 3) S - Box (a 30 ) S - Box (a 31) S - Box (an ) S - Box (a 3J 
(2-6) 
This S-Box LUT used in SubBytes transformation is constructed using the following 
steps-
Step 1: Initialize the S-Box with the byte values in ascending sequence row by row. 
The first row contains 00, 01, 02, 03 .... 0F; the second row contains 10, 1113 ... 1F 
and so on. Thus, the value of the byte at row x, column y is xy. 
Step 2: Calculate the multiplicative inverse of each byte in the S-Box under Galois 
Field (28 ) with irreducible polynomial ( x 8 + X4 + x3 + X + 1) 
Step3 : Then carry out the affine transformation on each bit 
(b7 ,b6 ,bs ,b4 ,b3 ,b2 , bl ,bo) of the byte (b) as follows 
where Ci is the ith bit of byte c with the value (c7 c6 Cs C4 c3 c2 CI co ) = (01100011) 
b; represents the updated bit value by the expression on the right. 
2.3.1.2 ShiftRows Transformation 
(2-7) 
This step causes diffusion of the bits over multiple rounds [2,19]. ShiftRows 
transformation cyclically shifts the rows of the state over different offset . The row 0 
in the matrix is not shifted, row 1 is shifted left by one byte, row 2 is shifted left by 
two bytes, and row 3 is shifted left by three bytes giving the new state matrix. 
22 
Chapter 2. Encryption 
Coo COl CO2 c03 boo bOI b02 b03 
clO CII C I2 c\3 bll bl2 bl3 blO (2-8) = 
c20 C 21 C 22 C 23 b22 b23 b20 b21 
c30 C31 C 32 C33 b33 b30 b31 b32 
The state matrix from the SubBytes transfonnation [b ij] is transfonned into a new 
matrix [c ij] using the ShiftRows transfonnation as in (2-4). 
2.3.1.3 MixColumns Transformation 
This linear transfonnation operates on the state matrix column by column [2,19]. The 
matrix obtained from the last step i.e. ShiftRows, [c ij], is multiplied with a standard 
matrix to produce a new output matrix [d ij]. The transfonnation can be defined by a 
matrix multiplication as follows. 
d oo dOl d 02 d 03 02 03 01 01 Coo COl C O2 C03 
dll d l2 d n dtO 01 02 03 01 clO CII C I2 cn 
= ® (2-9) 
d 22 d 23 d 20 d 21 01 01 02 03 c20 C21 c22 C 23 
d 33 d 30 d 31 d 32 03 01 01 02 c30 C 31 C 32 C 33 
i ~~-- -- -- - - -- - - - - - - - - - - -- - - - - - - -- ----
02 03 01 01 Coo 
r 
03 01 
Oil 
Cal 
01 02 03 01 
® 
clO : 01 02 03 01 ® clI 
01 01 02 03 c20 : 01 01 02 03 C 21 
03 01 01 02 c30 i 03 01 01 02 
.- _______ h __ --- -----1- ____ h ____ ~31. 
... 'ht __ 
roo 'do,!· d02 
do'l d" ! dll! . dl2 dn d20 i d21 : . d22 d23 . . 
d30 i_~~!j d32 d31 
.-
A 
[02 03 01 Oil 
C O2 [02 03 01 Oil 
C03 
: 01 02 03 01 ® C I2 01 02 .03 01 ® cn 
. 01 01 02 03 C22 01 01 02 03 c23 
, 03 01 01 02 C 32 03 
01 01 02 C33 
Figure 2-6 MIxColumns Transformadon 
23 
Chapter 2. Encryption 
Each byte of a product matrix is the sum of products of elements of one row and one 
column. In this case, the individual additions and multiplications are performed in OF 
(28). The MixColumns transformation on a single column j of state matrix can be 
expressed as follows. 
dOj = (2 ® COj) $ (3 ® clj ) $ c2l $ c3l 
dlj = COj $ (2 ® clj ) $ (3 ® c2j ) $ c3j 
d2j = COj $ Clj $ (2 ® c2j ) $ (3 ® c3j ) 
d3j = (3 ® COj) $ Clj $ C2j $ (2 ® c3j ) 
(2-10) 
The graphical representation of the MixColumns transformation is as shown in Figure 
2-6. Here each column of the state matrix is multiplied by a predefined matrix to 
produce a new column in the output matrix, [d ij]. 
2.3.1.4 AddRoundKey Transformation 
[n this step, the matrix is XORed with the expanded round key [2,19]. The original 
key consists of 128 bits arranged as a 4x4 matrix of 16 bytes. Each column in the 
matrix is treated as a 32-bit word thus the initial key matrix with four columns or four 
words. This initial key is expanded to 40 more columns· or words, four columns for 
each round, by key expansion algorithm. The key matrix is XORed with the state 
matrix as in (2-11). The key expansion is described in detail in the following section. 
eoo eO) e02 e03 doo dO) d02 d03 koo kOI k02 k03 
eJO el1 el2 el3 dJO d l1 d12 dl3 ED kJO kl1 kl2 kl3 (2-11) = 
e20 e21 e22 e23 d 20 d 21 d22 d23 k20 k21 k22 k23 
e30 e31 e32 e33 d30 d31 d32 d33 k30 k31 k32 k33 
These aforementioned four transformations are carried out for NT-l rounds [32]. 
During the final round, only the following transformations are performed: SubBytes, 
ShiftRows and AddRoundKey. MixColumns is not performed in the final round. The 
entire encryption process is shown by a block diagram given in Figure 2-4. 
24 
Chapter 2.Encryption 
2.3.2 Key Expansion 
The second input to the AES algorithm is 12S-bit key which is expanded internally by 
KeyExpansion algorithm [2,19,20,33]. In this algorithm 12S-bit input key is treated as 
four words or four columns key array. Each word is 32-bits length. KeyExpansion 
algorithm expands the four word input key to 44 word key. This is sufficient to 
provide a key for the initial round and each of the 10 rounds of the AES cipher. 
The 12S-bit input key is represented as a key matrix [kij], 0 ~ i < 4, and each element 
in the matrix is a byte. For 12S-bit key, the key matrix has 16 elements or bytes. Each 
column of the key matrix is treated as a 32-bit word, and hence the input key has four 
words namely Wo, wI. W2 and W3 ' as shown in Figure 2-7 [2]. This input key is 
expanded into 44 word key by KeyExpansion algorithm as shown in Figure 2-S. The 
first group of four words, Wo, WI, W2 and W3, provide the key for the initial round. The 
subsequent group of four words, W4, Ws, W6 and W 7, provide the round key for the first 
round, Wg, W9, WIO and WI I for the second round and so on. 
W o W, W 2 W 3 
[kOO 
ko, k02 ~'l klO k" kl 2 k l3 k 20 k 21 k22 k 23 
k30 k 31 k )2 k33 
Wo w , W, W, W. W . We W 7 ---_.- W" W " W'2 W ., 
Round Key 0 Round Key 1 Round Key 10 
Figure 2-7 AES Key Expansion 
The key expansion algorithm can be expressed by the pseudo code as follows: 
KeyExpansion (byte key [16], word W [44]) 
{ 
} 
word temp 
for (i=O; i<4; itt) 
w[i] = (key[4*i], key[4*i + 1], key[4*i + 2], key[4*i + 3]); 
for (i=4; i<44 ; itt) 
{ 
} 
temp = w[i-l]; 
if ( i mod 4 = 0) 
temp = SubWord(RotWord(temp)) E9 Rcon[il4]' 
w[i] = w[i-4] E9 temp 
Figure 2-8 Pseudo Code for Key Expansion Algorithm 
25 
Chapter 2. Encryption 
Sub Word in the above pseudo code applies SubBytes to each of the four bytes in a 
word. The function RotWord rotates each byte in a word one position to the left. For 
example, the input word [koo , klO , k20 , k30 ] transfonned to [ k lO , k20 , k30 , koo ]. 
RCon(i) is the round constant word array, whose value is [ RC(i), 0 0, 0]. Th values 
of RC (i) are listed as in Table 2-3. All these functions of key expan ion are used 
shown in Figure 2-9. 
Table 2-3 Round Constant Values 
RC(l) RC(2) RC(3) RC(4) RC(5) RC(6} RC(7) RC(8) RC(9) RC(10) 
01 02 04 08 10 20 40 80 lb 36 
k~ , k02 k~2 k 03 
k;, EB k'2 k;2 k l3 E9 k;, k22 k;2 k 23 
k~1 k32 k~~ k 33 
y T 
k~o ' k~, : k~2 k~3 
k;o k;" k;2 k;3 
k;o k;, ' k ;2 k ;3 
k~o k ' : k~2 k;) J< . , 
SubBytes (k13 ) RCon koo k~ ko, 
SubBytes (k23 ) 00 k lo k;o 
€a 
kll 
E9 E9 
SubBytes(k3J 00 k20 k ;o k21 
SubBytes(ko3 ) 00 k30 k 'o k31 
Figure 2-9 Key Expansion Algorithm 
2.4 Decryption Using the AES Algorithm 
Decryption is the opposite process of encryption. The inputs to decryption block are 
cipher data block and a key, and the output is a plain data block [2,19,20,33]. To 
decrypt cipher data, the procedure followed is exact opposite of the encryption 
process. The decryption flow is simply the rever e of the encryption, and each 
operation is the inverse of the corresponding one in encryption. An encryption round 
has the transfonnations in the sequence SubBytes, ShiftRows, Mix olumns and 
AddRoundKey. The decryption has In vshiftRows, invSubBytes, AddRoundKey and 
InvMixColumns. 
26 
Chapter 2. Encryption 
2.4.1 Straight Forward Decryption 
The block diagram for straight forward decryption algorithm can be obtained by 
inverting the encryption block diagram in Figure 2-4 [2]. Similar to the 
transformations used in encryption, the equivalent and inverse transformations used 
for decryption are InvSubBytes, InvShiftRows, InvMixColumns and AddRoundKey 
[2,19,36]. The round keys are the same, and hence the same name AddRoundKey, as 
those in encryption generated by Key Expansion, but is used in reverse order. A 
standard round consists of InvSubBytes, InvShiftRows, InvMixColumns and 
AddRoundKey operations while the final round consists of the same operations 
excluding the InvMixColumns operation. The straight forward decryption block 
diagram is showed in Figure 2-10 [36]. 
Cipher Data I Key J 
AddRoundKey 
J K(N~ 
Iny ShiftRows 
InySubBytes I Key Expansion I 
AddRoundKey K(Nr-1) & Key Register 
Iny MixColumnl 
... Iny ShiftRows 
z Iny SubBytes 
AddRoundKey K(1) 
1 
Iny ShiftRows 
Iny SubBytes 
AddRoundKey 
J K(O) 
Plain Data 
Figure 2-10 Straightforward Decryption 
But the sequence of transformations for encryption shown in Figure 2-4 is completely 
different from the sequence of transformations for decryption shown in Figure 2-10. 
However, it is possible to get an equivalent version of the decryption algorithm that 
has the same sequence of transformations as encryption with minor changes to the key 
schedule. 
27 
Chapter 2. Encryption 
2.4.2 Equivalent Decryption 
An encryption round has the transfonnations in the sequence SubBytes, ShiftRows, 
MixColumns and AddRoundKey. The straight forward decryption has InvshiftRows, 
InvSubBytes, AddRoundKey and InvMixColumns. In order to make the sequence of 
decryption identical to encryption two changes have to be done. The first change is to 
interchange the InvShiftRows and InvSubBytes transfonnations and the second is to 
interchange InvMixColumns and AddRoundKey [2,19,36]. 
The first change' can be made without change to the structure of the decryption 
algorithm. Because InvShiftRows simply shift bytes and has no effect on the byte 
values. InvSubBytes operates on individual bytes, independent of their position. 
Therefore these two transfonnations can be interchanged. InvMixColumns 
transfonnation is linear and hence the following holds true. 
InvMixColumns (InvSubBytes E9 RoundKey) = InvMixColumns (InvSubBytes) E9 
InvMixColumns (RoundKey) (2-12) 
Cipher Data Key I 
AddRoundKey; K(N,) 
Inv SubBytes 
Inv ShiftRows 
Inv MixCoulmns Key Expansion 
IlnvMixCoIumns ~ AddRoundKey & Key Register K(N,-1) 
, 
, 
, 
Inv SubBytes 
... Inv ShiftRows 
z Inv MixCoulmn! 
AddRoundKey I InvMixCoIumns ~ K(1) 
1 
Inv SubBytes 
Inv ShiftRows 
AddRoundKey 
K(O) l 
Plain Data 
Figure 2-11 Equivalent Decryption 
28 
Chapter 2. Encryption 
This property allows the exchange of InvMixColumns and AddRoundKey if 
RoundKeys are modified by InvmixColumns transfonnation before they are added up 
in the AddRoundKey transfonnation. By making the above two changes the 
decryption structure can be made equivalent to encryption structure as shown in 
Figure 2-11 [36]. 
2.4.3 Decryption of Round Transformations 
The transfonnations used during encryption are SubBytes, ShiftRows, MixColumns 
and AddRoundKey. The structure of the AES round transfonnation requires that all 
steps be invertible so that decryption is possible. The invertible round transfonnations 
for the decryption process are InvshiftRows, InvSubBytes, AddRoundKey and 
InvMixColumns, which are discussed below [2,19,36]. 
2.4.3.1 InvSubBytes Transformation 
This transfonnation makes use of the inverse S-Box. The inverse S-Box is constructed 
by applying the inverse affine transfonnation followed by taking the multiplicative 
inverse in OF (28). 
The inverse affine transfonnation is 
b; b(i+2)mod8 EB b(i+S)mod8 EB b(;+7)mod8 EB d; (1-13) 
Where di is the ith bit of byte d with the value (d, d6 ds d4 d] d2 d l do) = (00000101) 
2.4.3.2 InvShlftRows Transformation 
InvShiftRows is the inverse transfonnation of ShiftRows. In this transfonnation, the 
bytes in the first row of the state do not change; the second, third and fourth row shift 
cyclically one byte, two bytes, and three bytes to the right, respectively [2,19,36]. 
2.4.3.3 InvMixColumns Transformation 
This linear transfonnation operates on the state column by column similar to 
MixColumns transfonnations. The state matrix is multiplied with a standard matrix to 
29 
Chapter 2. Encryption 
produce an output matrix. The transformation can be defined by matrix multiplication 
as shown below 
d oo dOl d 02 d 03 Coo COl CO2 Cm OE OB OD 09 
dll d l2 d l3 dlO clO c lI c12 c13 09 OE OB OD 
= ® (2-14) 
d 22 d 23 d 20 d 21 c20 C21 C22 C23 OD 09 OE OB 
d 33 d 30 d 31 d 32 c30 C31 C32 C33 OB OD 09 OE 
2.4.3.4 AddRoundKey Transformation 
The round keys for decryption are the same, and hence the same name AddRoundKey, 
as that in encryption generated by key expansion algorithm, but is used in reverse 
order [2,19,36]. 
2.5 The AES Modes 
The AES encryption algorithm accepts one data block and the key and produces the 
encrypted data block. The input and output data blocks are of identical size. The 
decryption algorithm accepts one encrypted data block and the key to produce the 
encrypted data block. Modes of operation have been defined to apply the AES block 
cipher to encrypt more than one 128-bit block of data. So, before embarking on 
implementation of AES, the mode of operation has to be selected [2,19,26,36,37]. 
The most commonly used modes with AES are: Electronic Code Book (ECB) mode, 
Cipher Block Chaining (CBC) mode, Output FeedBack (OFB) mode, Cipher 
FeedBack (CFB) mode and Counter (CTR) mode. ECB and CTR are known as non-
feedback modes whereas CBC, CFB and OFB are known as feedback modes. In 
addition, ECB and CBC are referred to as block cipher modes as they require the 
entire data block before the start of the encryption and OFB, CFB and CTR are 
referred to as stream cipher modes as they operate in a stream-like fashion. 
2.5.1 ECB Mode 
The ECB mode is the basic mode from which all other modes are built. As illustrated 
in Figure 2-12 [26], in this mode blocks of plain data are encrypted independent to 
30 
Chapter 2.Encryption 
each other to fonn the cipher data. In Figure 2-12 Pl, P2 .. , Pn represent the plain 
data and C 1, C2 .. , Cn represents the cipher data. K is the key used in both 
encryption and decryption. The plain data blocks, the cipher data blocks and tl~e key 
are of 128-bit each. The ' E' and ' D' blocks perfonn encryption and decryption 
respectively using the AES algorithm. 
When the ECB mode encrypts data, the same plain data input results in the same 
cipher data output, so patterns in the input can be revealed to an eave dropper. 
Therefore, the ECB mode is insecure for many applications [2,19,26 37]. 
Figure 2-12 Block Diagram or the ECB Mode 
2.5.2 CBC Mode 
The CBC mode, illustrated in Figure 2-13 [26], is the mode in which the plain data 
block is XOR-ed with the cipher data of the previous block before it i encrypt d. 
~ ... o Q. o ~ o ~ o P n 
Figure 2-13 Block Diagram or the CBC Mode 
31 
Chapter 2. Encryption 
The encryption of each block depends on all the previou blocks. The first block is 
XOR-ed with an initial vector (IV), which is a random number. A data is proce s d 
sequentially in the CBC mode, parallel processing is not possible. So it is not suitable 
for high-speed applications. CBC requires a complete block of data to start encryption 
so it is referred to as block cipher. For this reason it may not be suitable for real-time 
applications [2,26,37]. 
2.5.3 OFB Mode 
In the OFB mode, as illustrated in Figure 2-14 [26], the output of the encryption is 
fed back into the input to generate a keystream, which is then XOR-ed with the plain 
data to generate the cipher data . Using this mode, pre-proce sing of the key tream i 
possible as it is not dependent on the incoming plain data [2 26,37]. The data block 
need not be 128-bit long but it can be of any length less than 128-bit. In uch a a e, 
OFB is implemented using a shift register as shown in Figure 2-13. An initial vector 
and the encrypted output data are divided into equal length ub-blocks of n bit (n is 
less than 128-bits). For example if n = 32 then IV and the sub equent I 28-bit block 
are treated as consisting of four sub-blocks each. 
en 
Figure 2-14 Block Diagram of the OFB Mode 
-Q. 
>-
~ 
u 
c 
W 
First the initial vector is encrypted and the output is XOR-ed with n bits of plain data 
to form cipher data. Then IV is shifted n bits to the left and the n lea t significant bits 
of it are replaced by the n least significant bits of the encrypted IV to form th next 
data block. This encryption scheme is repeated until the end of the me age is 
32 
Chapter 2. Encryption 
reached. Hence OFB is referred to as n-bit str am cipher ince it den t r quire th 
whole 128-bit block for encryption as in the E B, B block cipher . 
2.5.4 CFB Mode 
The CFB mode is another stream cipher mode, in which the block encryption output is 
XOR-ed as a keystream with the plain data, but the feedback term to the encryption 
algorithm is the cipher data itself (Figure 2-15). The n-bit stream cipher ba ed on FB 
can be implemented using a shift register as shown in Figure 2-14 [26], where n is less 
than 128 bits [2,37]. 
2.5.5 CTR Mode 
IV 
en 
.... 
c.. 
>-
... 
(J 
c 
w 
Figure 2-15 Block Diagram of the FB Mode 
Figure 2-16 [26] shows a new mode, the TR which came into effect after the AES 
has been made as a standard. In CTR mode, a counter is ncrypted to g nerate a 
keystream, which is then XOR-ed with the plain data to generate the cipher data 
[2,26,37]. A property of CTR mode, which is diffi rent from the B FB and OFB 
modes, is that there is no feedback or chaining; therefi re one can p rfi rm everal 
encryptions in parallel. This is a significant advantage in high-per£i rmance 
applications. 
~ 
141 E I 
~ P_2-N~+ __ C-+2 
Figure 2-16 Block Diagram of the CTR Mode 
.... 
c.. 
~ 
(J 
c 
W 
33 
Chapter 2. Encryption 
However the disadvantage with the CTR mode is that the successive blocks usually 
have small difference in their values as only few numbers of bits are different between 
two consecutive counter values. This would lead to differential cryptanalysis because 
an attacker can obtain many plain data pairs with a known small plain data difference. 
In addition, in CTR mode it is crucial that a counter value should not be reused as it 
will weaken the security of the message [3]. 
2.5.6 Discussion 
Table 2-4 [26] compares and summarizes the characteristics of all the AES modes. As 
discussed above, ECB and CTR modes do not use feedback from one block to another 
and hence they are known as non-feedback modes. CBC, OFB and CFB are known as 
feedback modes as they us~ feedback. ECB mode is not suitable to many applications 
as it reveals the patterns in the encrypted output. Using CBC, OFB and CFB modes 
patterns are not observable in the output because of the feedback [26,37]. In non-
feedback mode like CTR also patterns are not observable because of the randomness 
of the keystream produced by the counter. Feedback modes, such as CBC, OFB and 
CFB, or a non-feedback mode, such as CTR, should be used in order to prevent data 
patterns in the cipher data. ECB and CBC are the block ciphers as they need complete 
block before starting of encryption whereas OFB, CFB and CTR are known as stream 
ciphers as they don't need the complete block to start encryption. In OFB and CTR 
modes, keystream can be generated before hand i.e. even before the input data is 
available. Hence these modes are suitable in applications where high-speed real-time 
encryption is needed. 
Table 2-4 Characteristics of the AES Modes 
~ ECB CBC OFB CFB CTR Feature 
Pattern Yes No No No No Observable? 
Block/Stream Block Block Stream Stream Stream Cipher? 
Feedback No Yes Yes Yes No Mode? 
Pre-
processing No No Yes No Yes 
possible? 
34 
Chapter 2. Encryption 
2.6 Implementation Approaches to AES 
Several software and hardware implementations of AES have recently been proposed. 
The software implementations have targeted various platforms with the goal of 
reducing the number of CPU clock cycles required to encrypt a data block. Several 
hardware implementations are also available targeting Application Specific Integrated 
Circuits (ASICs) and Field Programmable Gate Arrays (FPGAs) with the aim of 
reducing gate count, power and to achieve high throughput [19,36]. These design 
goals can be achieved by applying various optimization design techniques as detailed 
below. 
Optimization techniques for hardware implementations are broadly divided into two 
categories - architectural and algorithmic optimization techniques [36]. 
2.6.1 Architectural Optimization Techniques 
A block diagram of the AES algorithm is shown in Figure 2-4. The corresponding 
processing architecture is known as basic or iterative architecture, which could be 
simplified as illustrated in Figure 2-17 [36]. Architectural optimization techniques 
include design practices such as pipelining (PP), sub-pipelining (SP) and loop 
unrolling (LU). These optimizations are described below. 
2.6.1.1 Pipelining 
Pipelining can increase the speed of encryption/decryption by processing multiple 
blocks of data simultaneously. It is realised by inserting rows of registers among 
combinational logic blocks. Parts of logic between two consecutive registers form a 
pipeline stage as shown in Figure 2-18 [36]. Each pipeline stage is one round unit of 
AES and is referred as outer round pipelining. Figure 2-17[36] shows the original 
iterative architecture of AES to which pipelining is applied as shown in Figure 2-18. 
3S 
... 
QI 
~...,.-+I'iii 
Plain ~ 
Data 
Plain 
Data 
Encrypted 
Data 
Figure 2-17 Iterative AES Architecture 
Figure 2-18 Pipelining of the AES Algorithm 
2.6.1.2 Sub-pipellning 
Chapter 2. Encryption 
Similar to pipelining, sub-pipelining also inserts registers among combinational logic 
blocks, but in this case, registers are inserted both between and inside each round as 
shown in Figure 2-19 [36]. Sub-pipelining is used to further increase the speed of 
encryption. It is also referred to as inner round pipelining. 
Figure 2-19 PipeUnlng & Sub-pipeUnlna of AES 
36 
Chapter 2. Encryption 
2.6.1.3 Loop Unrolling 
Loop unrolling or unfolded architectures can process only one block of data at a time, 
but multiple rounds are performed in each clock cycle. Figure 2-20[36] shows the 
fully unrolled block diagram of the AES. Detailed studies of these architectures can 
be found in [19, 48] . 
... 
.!! 
I/) Round 
-P-Ia-in-.i '2' 1 
Data 0:: 
Round f-----~ 
N r-1 
j 
.~ I=E-nc-ry .... pted 
0:: Data 
Figure 1-10 A Loop Unrolling AES Architecture 
In addition to the above optimization techniques the size of the architecture (8-bit, 32-
bit, 128-bit) also affects the performance in particular chip area of the 
implementation. For instance, a 32-bit data path architecture needs four S-Boxes to 
compute the SubBytes function of a 32-bit word, while a 128-bit architecture requires 
16 S-Boxes. S-Boxes are the most area consuming parts of an AES hardware 
implementatio,n. The number of S-Boxes determines the overall size of an AES 
hardware module. Thus, using an efficient approach for implementing the S-Boxes is 
crucial for an AES hardware design. 
Pipelining and sub-pipelining can increase the throughput for non-feed modes like 
ECB and CTR. In feedback modes like CBC, CFB, OFB, the encryption/decryption of 
the next block cannot start until the current block is finished. In this case, pipelining 
does not lead to any speedup, because only one stage is processing one block of data 
in each cycle, while the other stages are idle. Therefore pipelined architectures are not 
suitable for feedback applications. So the optimisation option for feedback modes is 
loop unrolling but it comes with a very high hardware overhead [36]. 
The speed and area trade-offs of the AES algorithm are dependent not only on the 
overall architecture of the encryption/decryption block, but also on the 
implementation of each round unit A variety of methods have been brought up to 
implement an individual round unit. They are discussed in the following section. 
37 
Chapter 2. Encryption 
2.6.2 Algorithmic Optimization Techniques 
Algorithm level optimization techniques target the method of implementation of each 
individual AES transformation. As discussed in Section 2.3, AES has four 
transformations in each round called SubBytes, MixColumns, ShiftRows and 
AddRoundKey. No optimization is to be performed on ShiftRows and AddRoundKey 
transformations, since no logic gates are needed for the former transformation and 
only one step of XOR operation is needed for the latter. However different methods 
can be used to implement the SubBytes and MixColumns transformations. Both 
transformations can be implemented using either look-up table (LUT) or 
combinational logic (Non-LUT) approaches. Algorithmic optimization techniques 
can be applied to both feedback and non-feedback modes, irrespective of presence of 
feedback. 
As discussed in Section 2.4, the SubBytes transformation can be implemented using 
the pre-calculated LUT called S-Box. Multiplicative inverse of each possible 
combination of a byte element followed by affine transform is pre-calculated and 
stored in the form of a LUT of 256 elements. Alternatively, the SubBytes 
transformation can be calculated on the fly by calculating the multiplicative inverse of 
each byte in the state matrix. Various approaches such as extended Euclid, powers of 
primitive elements, Itoh and Tsuji's algorithm, composite field mathematics etc. are 
available for the calculation of multiplicative inverse in OF (28). In particular, 
composite field inversions were found to be efficient over OF (28), and were used to 
create compact AES implementations. Using composite field arithmetic operations, 
elements in OF (28) are mapped to isomorphic-field OF «24)2). OF (24) operations are 
used to calculate the multiplicative inverse in OF (28) [19,38]. 
Similarly, there are two ways for implementing the MixColumns transformation. It 
can be implemented either using the LUT or non-LUT approaches. As discussed in 
Section 2.4, MixColumns transforms every column in the state matrix by mUltiplying 
it with a predefined polynomial [2 3 1 1]. Following the LUT approach the 
MixColumns transformation can be implemented using the pre-calculated LUTs 
[19,36]. S-Box is multiplied by 2 and 3 in OF (28) and is stored in tables referred to as 
38 
Chapter 2. Encryption 
T-Box2 and T-Box3 respectively. Alternatively, Galois field multiplication by 2 and 
3 is carried out on the fly. 
The implementation of the SubBytes and MixColumns transformations using LUT and 
non-LUT approaches gives rise to several implementation options. Four possible 
implementations using different approaches are defined in Table 2-5. 
Table 2-5 Implementation Options of the AES Algorithm 
~ Implementation SubBytes MixColumns Approach 
LUT Non-LUT Option I (SBox) (Multiplication in Galois field) 
Non-LUT Non-LUT 
Option2 (Composite field (Multiplication in 
arithmetic) Galois field) 
Option3 LUT (S-Box, T-Box 2, T-Box 3) 
Non-LUT LUT 
Option4 (Composite field (S-Box, T-Box2, 
arithmetic) T-Box3) 
Optionl in Table 2-5, which is a combination of LUT and combinational logic, is the 
most widely used hardwire implementation approach to the AES algorithm. Option2 
is implemented using combinational logic entirely. Option3 is purely a look-up table 
approach, where both the SubBytes and MixColumns LUTs are merged together and 
implemented using the S-Box and T-Boxes. 
Option4 in Table 2-5 is not a viable implementation option. To implement 
MixColumns using LUT approach one needs to have all the three look up tables -
SBox, TBox 2 and TBox 3 as in Option3. Also additional combinationa11ogic is 
needed for composite field implementation of SubBytes. Hence this implementation 
option does not offer any novel aspects but presents an additional overhead in terms 
of power and area as SubBytes is implemented using both SBox LUT and 
combinational logic. 
39 
Chapter 2. Encryption 
2.6.3 Implementation of Key Expansion 
In a hardware implementation of AES, the key expansion process can be 
accomplished in one of two ways to generate the round keys. Roundkeys can either be 
generated beforehand and stored in memory or be generated on the fly. The AES key 
expansion algorithm was designed to be usable on the fly, such that the Roundkeys 
can be expanded iteratively in real-time as and when they are required by the 
encryption algorithm. This is especially useful if the AES keys need to change on a 
regular basis. The only penalty here is that additional Roundkey expansion hardware is 
required. This approach is the most commonly used, as the solution is completely 
implemented in hardware, with no external support required [19]. 
If AES keys do not get changed too often, then Roundkeys may be expanded off-line 
and stored in memory for subsequent use. This can save a significant number of gates 
and reduce the total power consumption, and is especially appropriate in low resource 
implementations in FPGA, where suitable Roundkeys buffer RAM is readily available 
at low cost. 
2.7 Literature Survey of AES Implementations 
Table 2-6 summarises recent software implementations of the AES algorithm on 
various general-purpose processors. As it can be seen from Table 2-6, AES has been 
coded using different programming languages and executed on various platforms 
including personal computers (Pentium CPU) and embedded computing systems, 
represented by the soft microprocessor cores LEON2 and Xilinx's Microblaze and 
DSP processors (Texas Instruments). JAVA on SPARC is delivering the throughput 
of 450 bps [39], lower when compared to the C implementations. Implementations 
using the C programming language have significantly higher throughputs ranging 
from 141 Kbps to 112.3 Mbps [39,40]. 
40 
Chapter 2. Encryption 
Table 2-6 Software Implementations of the AES 
Author and Cycle count Power Publication Processor Throughput 
Year Cycleslbyte mW 
Ravi C onXtensa 1526.2 N.A. N.A. 2002 [41] 
T.Wollinger Con 14.25 112.3 Mbps N.A. TMS320C620 1 2003 [40] C on Pentium Pro N.A. 70.5 Mbps N.A. 
Hwang Java on SP ARC N.A. 450 bps 120 
2003 [39] Con SPARC N.A. 345 Kbps 120 
Hodjat ConLEON2 2828 141 Kbps 558 2004[42] 
B.Gladman C on Pentium 3 29.5 N.A. N.A. 2006 [34] 
N.A. Stands for Not Available 
In addition to software implementations, various hardware implementations targeting 
FPGAs and ASICs are described in the literature. It has been found that hardware 
implementations of AES are targeted at different design goals such as high 
throughput, low power and compact deign etc., which is achieved by applying various 
algorithmic and architectural optimization design techniques as detailed below. 
2.7.1 Review of AES Hardware Implementations 
Better and more efficient hardware implementation of AES has been the focus of 
numerous research projects aimed at achieving high throughput, low power and 
minimal device utilization. Many hardware implementations of the AES targeting 
ASICs and FPGAs are described in the literature. Table 2-7 shows a summary of the 
ASIC implementations of the AES whereas Table 2-8 shows a summary of the FPGA 
implementations. Each table is classified into two categories. The first classification, 
shown on the left hand side of the tables, divides the tables in two parts. The first part 
details encryption module implementations only whereas the second part relates to 
combined encryption and decryption module implementations. The second 
classification, shown on the right hand side of the tables, is done according to the 
algorithmic optimization options namely Optionsl, 2 & 3. Almost all the FPGA 
implementations have targeted Xilinx FPGAs and most of the ASIC implementations 
have employed CMOS technology. 
41 
Chapter 2. Encryption 
Table 2-7 ASIC Implementations of the AES 
Author & Technology Gate Throughput Throughput! Power Archi. Publication Count Mbps gatecount 
Year Or Area (MbpslKgate) mW Opt 
E Henry CMOS 613 K 2,290 3.7 54 LU N 2002 [43] 0.181Jm 
C Papaefstathiou CMOS 349 KlJm 2 2,310 79.24 Iterative R -
Y 2004 [44] 0.18 IJm 484 KlJm 2 2,960 
- 112.48 Iterative I-§ 
P Hodjat CMOS ..... ::::>-;1 c: ...J 5 
T 2005 [45] 0.181Jm 0.79mm2 3,840 - 54 Iterative :8iz 
E 8mi 
R Hodjat CMOS 145K 30,000 206 N.A. SP-1-10 -0 
2006 [46] 0.181Jm 275K 70,000 254 ~ NA SP-2-10 
E N.Kim TSMC 28.62K 2,300 80.36 314 N 2003 [47] 0.181Jm Iterative 
C Su CMOS R 58.43K 2,000 34.22 N.A. PP-4 
P 2003 [48] 0.351Jm 
T Mangard CMOS 
E 2003 [49] 0.61Jm 15 K 241 16.06 NA SP 
R ~§ & Lai CMOS SOK 1,454 18.17 NA SP-5-1 0 2004 [50] 0.251Jm N-;I...J 0 6' 
E Mukhopadhyay CMOS :8zg 
C 2005 [51] 0.181Jm 252K 8,000 31.7 300 SP-2-10 8~J 
R _::::e 
Y CMOS P Feldhofer 
T 2005 [52] 0.35 IJm 3.4 K 9.9 2.91 0.0045 Iterative 
E 
R 
42 
Chapter 2. Encryption 
Table 2-8 FPGA Implementations of the AES 
Author & FPGA Utilization Throughput TPS(Mbps/ Algor. Publication FPGAUsed Slices Mbps 
Year (% of total slices) BRAM slice) Opt. 
3,528 (28.7%) 0 294.2 0.083 Iterative 
5,302 (43.1%) 0 300.1 0.057 lU-2 
10,286 (83.7%) 0 237.4 0.023 lU-5 
Elbirt Xilinx Virtex 5,281 (43%) 0 545.9 0.103 PP-2 
2001 [53] (XCV1000-4) 10,533 185.7%1 0 1,165.8 0.111 PP-5 
E 3,061 (24.9%) 0 491.9 0.161 Sp-1-1 
N 4,871 (39.6%) 0 949.1 0.195 SP-2-1 
C 10,992 189.5%1 0 1,937.9 0.176 SP-5-1 
R Saqib Xilinx Virtex 2,744 (58.2~ 0 258.5 0.09 Iterative 
Y 2003 [54] (XCV812) 2,136 (45.4%) 100 2,868 1.29 PP-10 
P Chodowiec Xilinx Spatran 174 0.78 Iterative T 2003 [55] (XC2S30-6) 222 (51%) 3 
E Standaert Xilinx VirtexE 542 (1.67%) 10 1,450 2.7 Iterative 
R 2003 [56] (XCV3200E) 2,784 (8.6%) 100 11,776 4.23 PP 
387 (1.7%) 10 1,410 3.64 Iterative 
Zambreno Xilinx Virtex 2 1,532 (6.6%) 50 4,640 3.03 lU-5 
2004 [57] (XC2V4000) 16,938 (73.5%) 0 23,570 1.39 lU-10 & SP-3 
Kotturi Xilinx Virtex 2 Pro 5,408 (16.3%) 200 29,770 5.5 SP- 3-10 2005 [58] (XC2VP70-7) 
E Chitu Xilinx Virtex 2 4,325 (84.4%) 38 739 0.17 Iterative N 2002 [59] (XC2V1000-4) 
C Mcloone Xilinx VirtexE 4,681 (67.7%) 20 310 0.067 Iterative R 2003 [60] (XCV600E) 
P Rodriguez Xilinx VirtexE 5,677 (29.6%) 80 4,121 0.72 PP-10 T 2003 [61] (XCV2000E) 
E J. Wang Xilinx VirtexE R 3,046 (32.4%) 280 1,952 0.64 P-10 
& 2003 [62] (XCV812E) 
0 Rouvroy Xilinx Spatran3 163(37.7%) 3 208 1.26 Iterative 
E 2004 [63] (XC3S50-4) 
C Hodjat Xilinx Virtex 2 Pro 9,446 (101.7%) 0 21,640 2.3 SP-7-10 
R 2004 [64] (XC2VP20-7) 5,177 (55.8%) 84 21,540 4.2 SP 4 10 
Y Xilinx Virtex 11,014 (89.6%) 16,032 1.456 SP-7-10 P Zhang (XCV1000-6) 0 
T 2004 [38] Xilinx Virtex 9,406 (99.9%) 0 9,184 0.976 SP-3-1 0 E (XCV800) 
R Good Xilinx Spatran 2 
2006 [65] (XC2S15) 122 (63.5%) 2 2.18 0.017 Iterative 
LUT -+ Look up table 
Non-LUT -+ non look up table (combinational) 
PP-X -+ Pipelining with X registers in between the rounds 
SP-y -z -+ -+ Sub-pipelining with Y registers within the round and Z registers in between the rounds 
LU-A -+ Loop unrolled for A rounds 
TPS -+ Throughput per slice 
SB -+ SubBytes 
Me -+ MixColumns 
43 
~ 
..... ;::, 
..... ::lo' 
,§..Jc 
. i ~ 
8" 5:l i 
-0 
::!: 
(")!5!5 
8~J 
8"_::!: 
!5§' 
Nio' 8 ~ 8"~J 
-::!: 
Chapter 2. Encryption 
In order to observe the trends in both the encryption and the encryption & decryption 
implementations, the entries in Tables 2-7 & 2-8 are arranged in chronological order 
according to the year of the implementation, starting from the first published work to 
the latest. Clearly the trend is to achieve high throughput with minimum power and 
device utilization. The ASIC implementation in [52] uses just 3.4 K gates (CMOS 
0.35 J-lm process) with ultra low power of 4.5 J-lW. Similarly, the FPGA 
implementation in [65] uses just 122 slices of Spartan 2 FPGA, one of the smallest of 
Xilinx family FPGAs. Both these implementations use an iterative AES architecture 
and employ a complete combinational approach, as in Option2 (Table 2-5). However 
the throughputs achieved using these implementations are very low. Hence these AES 
implementations are suitable for applications where power and device area are very 
constrained but high throughput is not a concern. 
It can also be observed from Tables 2-7 & 2-8 that the majority of the ASIC & FPGA 
implementations have adopted the Option 1 approach where SubBytes is based on S-
Box LUT whereas MixColumns uses combinational logic. 
Another observation from Tables 2-7 & 2-8 is that most of the combined 
implementations of the encryption & decryption modules are carried out using 
Option2. The reason for this is that SubBytes is implemented by calculating the 
multiplicative inversion GF (28) of each byte in the state matrix followed by an affine 
transformation. The InvSubBytes transformation required for the decryption is 
calculated by applying the inverse affine transformation followed by a multiplicative 
inverse of the state byte. Both SubBytes and InvSubBytes use the multiplicative 
inverse and hence there is much reduction in the hardware resources required [19,38]. 
By just using simple multiplexers to select between encryption or decryption both 
SubBytes and InvSubBytes can be implemented as shown in Figure 2-21 [36]. Few 
FPGA implementations [62,63]] employ the Option3 approach where both the 
SubBytes and MixColumns are implemented using LUTs. 
44 
x 
Ene/Dec 
Inverse Affine 
Transform 
2:1 
Mux 
'---------~o 
Inversion 
in GF(28) 
Chapter 2. Encryption 
..-------.t 1 
Affine 
Transform 
2:1 y 
Mux 
Figure 2-21 Block Diagram of the SubBytes and InvSubBytes Transformations 
Architectural optimization techniques resulting in basic iterative, loop unrolling, 
pipelining and sub-pipelining architectures have been adopted across the whole 
spectrum of AES implementations. It can be observed that an iterative architecture is 
adopted where moderate throughput of the order of few hundred Mbps is required, 
whereas LU and PP is used where high throughput in the order of few hundred Mbps 
to few Gbps is required. SP is used in applications where very high throughput is 
required in the order of tens of Gbps. It can also be observed that all the SP 
implementations have followed the Option2 algorithmic optimization, where pure 
combinational logic is used throughout the implementation. Using the Option2 
approach, it is possible to insert registers inside the round as shown in Figure 2-19 to 
form sub-pipelining achieving ultra high throughputs. Among the FPGA 
implementations, a throughput as high as 30 Gbps on a Virtex 2 Pro FPGA with 5.5 
Mbits/s/slice is achieved [58]. ASIC implementations [46] achieved the highest 
throughput of 70 Gbps using Option2 and the SP technique. 
2.8 Conclusions 
In this chapter security services used in modern cryptography such as confidentiality, 
authentication, integrity, access control, and authorization have been discussed. 
Various security techniques, mechanisms and algorithms to serve the security services 
have been also discussed. 
The main focus of this chapter is on encryption, by far the most widely adopted 
security service for confidentiality. All the encryption algorithms can be classified 
into two categories namely symmetric and asymmetric key encryption algorithms. 
Symmetric key algorithms are used in high-speed bulk data encryption as they use 
45 
Chapter 2. Encryption 
smaller key sizes compared to public key encryption algorithms. A brief history of 
symmetric key algorithms has been summarized. 
The latest encryption standard called the Advanced Encryption Standard is 
introduced. The transfonnations used in the AES algorithm are discussed in greater 
detail. The AES key expansion and decryption algorithms are also discussed. Modes 
of operation of the AES such as ECB, CBC, CFB, OFB and CTR are discussed in 
detail and their characteristics are summarized too. 
AES is widely adopted to protect terrestrial systems and communications and is 
implemented on a wide variety of platfonns. Various implementations of AES using 
different optimizations are investigated in detail. Results of a comprehensive survey 
of AES software and hardware (ASIC and FPGA) implementations on various 
platfonns are presented and categorized according to the optimization techniques, 
algorithmic or architectural, employed in their implementation. The next chapter 
discusses the use of the AES on board satellites to encrypt the valuable data 
transmitted to ground. 
46 
Chapter3.Satellite On-Board Encryption 
Chapter 3 
3 Satellite On-Board Encryption 
3.0 Introduction 
Even though there are many encryption algorithms and products available, the use of 
encryption technology in spacecrafts lags well behind the terrestrial systems. This is 
partly due to limited computational resources on-board, and partly due to the 
impression that satellites are very far and out of reach to hackers. But this is no longer 
true. Satellite manufacturers and users are realizing the importance of satellite 
communication security, especially after the cases where it has been proved that 
intrusion into satellite data is not impossible task [8, 9, 10, 11, 23,66]. 
In this chapter we address security needs of small EO satellites. Before going into the 
details of security services required in satellites, Section 3.1 briefly introduces the 
small satellite platform and on-board architecture block diagram. Section 3.2 gives the 
detailed description of on-board security measurements used in the existing and 
planned satellites. Section 3.3 discusses generic requirements of on-board security 
measurements for EO satellites and presents on-board security architecture for small 
satellites. Satellite image encryption using the AES algorithm is discussed in Section 
3.4 and Section 3.5 concludes the chapter. 
3.1 Overview to Small Satellites 
The trend in satellite industry has always been towards the design of large-sized, more 
capable, more sophisticated and more expensive missions. But, during the last two 
decades, with the advancements in microelectronics and the use of Commercial-Off-
The-Shelf (COTS) technology in the design of spacecrafts has led to the emergence of 
the so-called small satellite missions [12,14]. Small satellites are cheaper, less 
complex, require less maintenance and also take less amount of time to build 
compared to traditional large satellites. The demand for them is increasing more and 
more in recent years as they are affordable by large number of nations across the 
47 
Chapter3.Satellite On-Board Encryption 
world. The spirit of the current small satellite world is encompassed by the slogan 
''Faster, Better, Smaller and Cheaper". 
Traditionally large satellites have been built by governments or large organizations, 
which had sufficient funding to build and maintain the satellite [66]. These satellites 
were designed and built without severe restrictions on mass and power of the satellite. 
For example, the communication satellite Intelsat 6 was built for 10 to 14 year 
operation with 6 m x 4 m x 12 m meters dimension and a mass of 4600 kg producing 
2600 W power by solar panels [68]. On the other hand a small satellite of today is 
built with very limited funding and with very strict constraints on power and mass. A 
typical small satellite has a mass of 50 kg, accommodating a space of 0.6 m x 0.6 m x 
0.6 m producing only 30 W of solar panel power. However, small satellite industry 
claims that 95 % of performance of large satellites can be achieved with small 
satellites at 5 % of the cost or 70 % performance at 1 % of the cost [14]. 
In general, satellites are broadly classified into large and sma~l satellites according to 
their weight. Satellites weighing more than 500 kg are classified as large satellites and 
less than 500 kg as small satellites. Classification of satellites according to their 
weight in listed in Table 3-1 [12]. Approximate cost for each satellite family is also 
included in the table. Small satellites further fall into several categories as detailed in 
Table 3-1. Small satellites coming in between 10 kg and 500 kg are referred as mini 
satellites, and those that fall between 10 and 100 kg are considered to be 
microsatellites. The smaller satellites are so-called nanosatellites, ranging from 10 kg 
down to 1 kg, and picosatellites that weigh in at less than 1 kg. The smallest category 
is the femtosatellites at less than one-tenth of a kilogram [12]. 
It has already been demonstrated that small satellites can provide platforms for 
carrying out successful civilian and military missions. The targeted missions of small 
satellites are as follows: science, EO, commercial telecommunications, military, 
technical demonstration and education. The scientific aims of small satellite missions 
are accomplished using a range of on-board sensors such as imaging sensors, radars 
etc. The next section will illustrate the operation of a small satellite, in particular EO 
small satellite, and will present an on-board block diagram. Also the operation of 
48 
Chapted.Satellite On-Board Encryption 
various on-board sub-systems like communications, data handling and imaging 
sensors will be discussed. Satellites built by Surrey Space Technologies Limited 
(SSTL), are used for the discussion of the small satellite platfonn in this thesis [12, 
69]. 
Table 3-1 Classification of Satellites 
Class Mass (Kg) Cost (£ M) 
fIl Large Satellite > 1000 > 100 (I)~ 
0/) .-
a=ij 
~~ Medium Satellite 500-1000 25 -100 (/) 
Mini Satellite 100- 500 7-25 
fIl 
Micro Satellite (I) 10-100 1-7 
-.-
-
-(I) ~ Nano Satellite 1- 10 0.1-7 (/) 
-
-a 
e Pico Satellite 0.1-1 (/) 
<0.1 
Femto Satellite 0.001- 0.1 
3.1.1 Small Satellites Missions 
SSTL, a highly innovative spinout company of the University of Surrey, was the first 
professional organisation to offer low-cost small satellites by employing advanced 
terrestrial technologies. SSTL manufactures satellite platfonns spanning the spectrum 
from the 6.5-kg Surrey Nanosatellite Applications Platfonn (SNAP) to the 4oo-kg 
Galileo In-Orbit Validation Element (GlOVE -A) as shown in Figure 3-1. SSTL has 
developed twenty seven small satellite missions to-date and few other satellites are in 
development. The latest satellite built by SSTL is CFESat and was successfully 
launched on 9th March 2007 from Cape Canaveral Air Force Station in Florida, USA. 
Some of the satellites built by SSTL are shown in Figure 3-1. SSTL's development of 
small satellites using COTS has dramatically reduced costs to the point where they are 
now affordable for many more nations [12,13]. 
49 
Chap/ed.Satellite On-Board En ryption 
~ 
c 
0 ..... 
:;:; c 
co <I) C; 
.!2l E 
ina. ,:,£ 
-
0 <I) 0 Oi C; 0> 0 >- ,:,£ 
S ~ ,:,£ ,:,£ ~ 
L.. <I) 0 0 ...... 
-;: II) II) ~ ........ N (1)0 ~ ........ iii ...... W "C iii iii I > C (J) ..... co 
=> (J) (J) w (J) 0 
<{ a. u. 0 (9 0 u. l- t) => ........................ 
................ 
. 
.... . ..... 
............................................... 
Figure 3-1 mall atellites Developed by TL 
SSTL s satellite ar aimed at widely ranging application including remote ensing 
communication and technology demon trahon. Remot n ing or EO atellite 
observe the Earth by taking image with mart imaging en ors (camera) on-b ard to 
be u ed in monitoring the environment, di a ter , vegetati n map marking, urban 
planning tc. EO satellites u ed for disaster monitoring and mitigation application, are 
u ually require real-time monitoring in order to be able to react quickly to mitigate the 
effects of such disaster . B tter performance and wide rang of ervice can be 
achieved by u ing a network or constellation of low co t EO mall at llite . Th next 
section will di cu s about SSTL 
Monitoring on tellation (OM ). 
atellite c n tellation pr 1ect called Oisa t r 
Earth observation with a con tellation, i .. a fleet f atellit in the arne or imilar 
orbit, is proposed for impr vement f the m nit ring co erag and re-vi it . M d rn 
mall atellite techno I gy now make the rapid impl mentation of a 
network/con tellation of disa ter monitoring and mitigation atellite both fea ible and 
affi rdable [70]. 
The Disaster Monitoring on tellati n (DM ), h wn in Figure 3-2 [72] i the fir t 
Earth observation constellation of 5 low co t mall atellite pro iding daily image 
for applications including global disa ter monit ring. U ing DM it i n w pos ible 
50 
hapterJ.Satellite On-Board Encryption 
to monitor any point on the globe with a minimum of a 24 h ur repeat time. This 
capability is very useful to aid agencies when dealing with fire , flood , volcanic 
eruptions and earthquakes [12,13]. 
The DMC is an international project proposed and led by SSTL to con truct a n twork 
of five affordable microsatellites. It comprises a partner hip between organization in 
Algeria, China, Nigeria, Turkey and the United Kingdom. Each organization ha built 
an advanced yet low-co t Earth ob ervation micro atellit to form the fir t ever 
constellation specifically designed and dedicated to monitoring natural and man-made 
disasters [72]. The first DM microsatellite, AlSAT-l of Algeria, wa laun hed Nov. 
28, 2002. Satellites for Algeria, Turkey and Nig ria, built und r a Know-How 
Transfer and Trainjng (KHTT) program at Surrey (SSTL ervic from concept to 
orbit), were launched Sept. 27, 2003. The hina DMC satellite wa launched in 
October 2005. Each satellit in the DM con tellation has approximately a rna f 50 
kg, accommodating a space of 0.6 m x 0.6 m x 0.6 m pr du ing only 30 W f lar 
panel power [73]. The next section will discu the bl ck diagram f on-board EO 
satellite. 
Figure 3-2 Con tellation of mall atellite (DM ) 
51 
Chapter 3.Safellite On-Board Encryption 
3.1.2 Earth Observation Small Satellite On-Board Block Diagram 
In general, an EO mall satellite consists of a number f sub y tcm like 
communications, command and data handling, attitude d termination and orbit 
control, power, propulsion ubsystem and imaging payloads as hown in Figure 3-3. 
All these subsystems are interconnected to each other through an on-board bu or 
network. For the sake of simplicity Figure 3-3 shows only the main connections 
between the subsystems in order to give an overview of the atellite on-board 
structure [72,73]. Generally in atellites most of the blocks are duplicated to increa e 
reliability and therefore, the reason for having duplicate recciver , tran mitter on-
board computer (OBC) etc. in Figure 3-3. 
The receiver block in the communications subsy tem receive the command from 
ground station, known as uplink, and demodulate and decode the uplink ignal and 
generates telecommands. These telecommands are ent to the OB in the on-b ard 
command and data handling (OBCDH) subsy tern and from there to ub equent 
subsystems like attitude control and/or payloads tc dep nding on the natur of the 
command through the on-board bus. The OB DH subsy tern is responsible for the 
house keeping and distribution of commands to other ubsy terns through the bu . 
The transmitter in the communication subsystem encode and modulat 
collected from the on-board sub ystems in the atellite and transmit t 
the data 
ground 
station, known as downlink. Usually, downlink con i ts of two parts; t lemetry and 
payload data received from the atellite on-board control and imaging payload 
ubsy tern respectively. In Figure 3-3 , low rate transmitter are us d d wnlink 
telemetry and high rate transmitter are u ed to tran mit the bulk data t red in th 
mass memory of imaging payload subsy tern. The following cction will di cu th 
imaging payload unit in detail. 
The attitude control and propulsion subsy tem are re p n ibl Ii r c ntT lIing the 
attitude and propul ion of pacecraft re pectively. GI bal P itioning y tern (GP ) 
and power sy tern are the other sub y tern in the n-b ard archit cture. 
52 
-Uplin k 
-
~ 
d 
Low 
Spee 
Down link 
BUS 
Sola 
Pane 
~ 
r Is 
Communications 
+1 Receiver r-
- I Receiver }1 
t--
Low rate 
Transmitter (-
Low rate 
t-- Transmitter 
Power 
I Power I 
~ 
Chapter3.Satellife On-Board Encryption 
- - ru-Command and Attitude . Data Handling Control Propulsion 
rsr= [~DCS I F~~ 
r- BUS ~s J 
aBC aBC 1-' '--
J ~us .~ Navigation 
- "'-- --" Imaging Payload 
'-:l D tiC8IU:=J Ca~eral 
1 ~ 
I Mass Memory Unit 
l¥:s1 BUS 
-' 
-;--
rl 
High rate 
Transmitter 
High rate 
Transmitter 
-~ 
Hi 
Sp 
gh 
eed 
nlink Dow 
-~ 
Figure 3-3 Block Diagram of On-Board Architecture 
3.1.2.1 Imaging Payload 
A typical imaging payload system con ist of an imager, torage devic and a 
transmission system as hown in Figure 3-3. A brief de cription of the stage which 
image has to pas from image capture to tran mi sion ha been outlined below. A 
satellite in the DMC constellation, AISat-1, has been taken a an xampl to utline 
the process [13 , 14]. 
In the fir t instance, payload takes the snap hot of area of inter t a c mmanded by 
the ground station through uplink command . In DM atellites a three pair camera 
imager i employed for imaging a hown in Figure 3-4 [12]. ach fth three camera 
pairs operate at different bandwidths. The red and th green band scanning camera 
provide visually representative data, whereas the near infra-red band camera can 
provide information about wild life in natural region and heat exhau t of itie . 
53 
hapter3.Satellite On-Board Encryption 
Figure 3-4 DM Imaging en or 
After the on-board camera ha captured the image, the acquired data i tran ferred to 
the Solid Stat Data Rec rder (S DR). The main SDR and r dundant SSDR 
prototyping board are hown in Figure 3-5 (a) and 3-5 (b) [12] r p t1 ely. An 
overview of the image data fl w in the AISAT-l is shown in Figure 3-6 [12]. AISAT-
1 u e two main r corder with 4 bit (512 Mbyte) memory each and are 
complemented by a functi nally redundant but t chn logically different SDR with 
torage capacity f 1 Gbit (128 Mbyte ). Alth ugh the naming ugge t that the 
SSDR is purely a torage device, it actually po e e p w rful pr ce ing 
capabi litie . For in tance th main S DR f AI at-l i ba ed on MP 260 P wer P 
proces or and the redundant SSDR i ba A 1 100 r. Once 
the satellite is in contact with a gr und rec iving tation th r rd r can dump the 
image data to one of the high- pe d S-band tran mitt r for downlink. All n de are 
controlled via ontrol Area Network ( AN). 
54 
hapter3. Satellite On-Board Encryption 
Figure 3-5 Solid State Data Recorders (a) Power PC Based (b) Strong Arm Based 
Payload 
C. ' ,~" ,. CA!~ ..... 
one rOCQl11>l.~r 
J U'P .... , 
1 
Figure 3-6 Block Diagram of Payload. Data Handling in DMC atellite 
The down-link speed of AlSat-l through S-band is 40 Mbp . Figur 3-6 hows two 
antennas, but only one is in u e. The second antenna i only u ed a backup if th fir t 
antenna fails. Both ant nnas are rarely in use at the same time, becau e that would use 
too much system power. 
In recent years, to predict and mitigate disa ter quickly and accurately, there a 
constant demand to monitor Earth's resource and environment chang very c1 ely 
55 
• 
I" 
Chapter3.Satellite On-Board Encryption 
and accurately [12]. The imagers such as hyper spectral imagers, synthetic aperture 
radar (SAR) imagers etc are being adopted to meet this demand. These imagers will 
generate terabits of data to meet the scientists demand for higher spectral and spatial 
resolutions [70,73]. The data rates needs to be very high to transmit the high volumes 
of data. It is projected that the data rates might be as high as IGbps by 2010 [87]. 
Therefore the demand for high speed on-board processing such as compression, 
encryption etc is also increasing. 
3.2 Encryption Used in Present Earth Observation Satellites 
At present, only few EO satellites are equipped with on-board encryption to protect 
the data transmitted to ground station. But more and more organizations are planning 
to have on-board encryption in their future EO missions. To name a few EO satellites 
that are using on-board encryption are Space Technology Research Vehicle (STRV -
Id), Meteorological Operational (MetOp-A) satellite, KOrea MultiPurpose Satellite 
(KOMPSAT-2) etc. Many more future missions are planning to have on-board 
encryption including the Canadian satellite RADSA T -2, the Turkish satellite RASAT 
etc. Table 3-2 summarizes the use of encryption in current satellites. The following 
section gives a brief description of each of the existing and planned satellites with 
encryption on-board. 
Table 3-1 Summary of the Use of Encryption in Current Satellite Mlaionl 
Spacecraft Name Algorithms Used Implementation Encrypted Platform Data 
Space Technology Data Encryption Software S-band downlink Research Vehicle Standard (DES) (onSPARC lOKbps fI) (STRV -Id) [IS] processor) u 
-
.... 
= International u Korea Multipurpose 'iii Data Encryption FPGA X-band downlink c;n Satellite (KOMPSAT-2) bO Algorithm Hardware 160Mbps 
.9 [17] ~ (IDEA) 
.~ Meteorological Triple Data 
'-'I ASIC VHF 72 kbps & Operational Encryption Hardware L-band 3.5 Mbps Satellite{MetOp-A) [16] Standard (3-DES) 
'B! Turkish Satellite AES ASIC X-band 160 
~~ RASAT [75 76] Mbps 
s:i CanadianSatellite DES N.A. BothS and X RADARSAT -2 [77] band 
N.A. - Not AvaUable 
S6 
Chapter3.Satellite On-Board Encryption 
3.2.1 STRV - Id 
STRV -1 d satellite was built by the Defence Evaluation and Research Agency 
(DERA). It is launched from Kourou, French Guiana, on 14 November 2000 [15]. 
DERA built a series of satellites, namely STRV - la, Ib, Ic & Id, to demonstrate new 
technologies in orbit. STRV -1 d satellite carries a suite of environmental monitors, 
which will give comprehensive radiation measurement, electrostatic charging effects 
and detect cosmic dust. The other objective of this mission was to demonstrate secure 
communications through on-board encryption. It has 1 kbps S-band uplink and 10 
kbps S-band downlink. The 10kbps S-band downlink was encrypted using the DES. 
The software implementation of DES algorithm running on a SPARC processor 
encrypts the data. 
3.2.2 KOMPSAT - 2 
KOPMSA T -2 is an Earth observation satellite built by the Korean Aerospace 
Research Institute (KARl). The 800 kg craft carries imaging systems to yield high-
resolution, multispectral images of Earth's surface. The main objective of this mission 
was to provide high-resolution images of the Korean peninsula for the production of 
maps and digital elevation models, applications for use with planning, disaster and 
risk management. It was launched in July 2006. KARl is planning to develop 
KOMPSAT -3 & 5 and few more in the coming years. 
The imaging unit, called Multi Spectral Camera (MSC) unit, of KOMPSAT -2 is 
shown in Figure 3-7 [17]. The MSC itself comprises all the elements required to fonn 
a stand-alone payload. The mUltispectral images captured by Optical Unit (OU) are 
compressed and stored in the mass memory unit called Data Storage and Compression 
Unit (DSCU). On demand from the ground station, the images are encrypted and 
fonnatted and encoded by Channel Coding Unit (CCU). International Data Encryption 
Algorithm (IDEA) is used for encryption and CCSDS & Reed-Solomon coding for 
fonnatting and encoding. The encrypted data is transmitted to ground through the 
Antenna Unit (AU) through X-band [17]. 
. 57 
Chapter3.Satellite On-Board Encryption 
Multi Spectral Camera Unit (MSC) 
QY ~ ~ AU Data T o Ground 
Electro-
---
Compression 1--- Formatting & ~ X-Band - ... 
Optical Unit and Storage Encoding + Transmitter unit Unit Encryption Unit 
Figure 3-7 Multi Spectral Unit (MSC) of KOMPSAT-2 
The Channel Coding Unit (CCU) chip is implemented on a Xilinx FPGA (XQVR 
600). The chip perfonns the encryption with IDEA including the CCSDS-compatible 
link processing at 160 Mbps. The power consumption of the chip is 2.SW. Low 
internal core voltages of the FPGA are used for a low power implementation of the 
complex processing tasks. 
3.2.3 MetOp-A 
MetOp satellite programme is jointly established by ESA and the European 
Organisation for the Exploitation of Meteorological Satellites (EUMETSA T), fonning 
the space segment of EUMETSAT's Polar System (EPS). MetOp is a new European 
undertaking to provide weather data services that will be used to monitor climate and 
improve weather forecasts. MetOp is a series of three satellites to be launched 
sequentially over the next 14 years and the first in the series, MetOp- A, was launched 
in October 2006. With an array of sophisticated imaging payloads, MetOp provides 
images of high resolution to monitor global weather forecasting and improve weather 
forecasting [16]. 
The science data generated by imaging payloads is multiplexed and provided on three 
channels going to an on-board solid state recorder (SSR), the High Rate Picture 
Transmission (HRPT) and Low Rate Picture Transmission (LRPT) direct broadcast 
systems. Science data transmission to ground is ensured by three links. One link is 
through X-band at 70 Mbps to dump the SSR global data and for further forwarding 
via terrestrial transmission links to other users. Other links of transmission are the 
S8 
Chapter3.Satellite On-Board Encryption 
HRPT and LRPT providing continuous data transmission to ground in VHF (72 kbps) 
and L-bands (3.5 Mbps) respectively for local users. 
On-board encryption of LRPT and HRPT are provided on demand using the Triple 
Data Encryption Standard (TOES) to prevent access by un-authorized users. The 
encryption keys are generated in the EPS Key Management Centre (KMC) and 
distributed via secure terrestrial links to registered local mission users. The on-board 
encryption is based on the principle shown in Figure 3-8 [16]. The encryption itselfis 
performed by doing an exclusive OR between each clear data and a pseudo-noise 
pattern. As this operation is fully reversible, the data at ground are decrypted by using 
the same pseudo-noise pattern with an exclusive OR with data. 
The pseudo-noise pattern that is the basis for the encryption is created from the secret 
Master Satellite Key (MSK), which is stored on board and cannot be transmitted to 
ground via telemetry and the Public Satellite Keys (PSK), which can be uploaded 
from the ground periodically to ensure sufficient secrecy and to control data access. 
On MetOp, there is a table of 64 different possible PSKs. These PSKs are stored in 
encrypted form and there is a suitable telecommand in order to select the appropriate 
key. One of the PSK is selected depending on the telecommand from the ground 
station and it is decrypted using the MSK to get the message key. Triple Data 
Encryption Standard (TOES) algorithm (decryption part) is used to get the message 
keys. The seed together with the message key is the basis for pseudo noise key or 
pattern (PNK). The OFB mode of TOES is used to generate the PNK. The seed is 
composed of header of data unit called Virtual Channel Data Unit (VCDU) and insert 
zone. This PNK is exclusive-ORed with the plain data to generate the cipher stream. 
The data handling electronics unit that includes the encryption unit is implemented 
using ASIC technologies. 
59 
hapler3.Sale/lite On-Board Encryption 
SEEO 
0( fr m VCOU 
and Ins lor) 
Key 
N Imber 
Figure 3-8 On-Board Encryption Block Diagram U cd in M TOP-
3.2.4 RASAT 
The "0 satellite RASAT i being developed by Turkish re earch institute Tubitak-
Bilten and i cheduled for launch in 2008. G ZGIN-2 i a r aI-time multi pectral 
image processing ubsystem developed for the RASA T micro atellite. Th main 
functionality of thi ubsy tern i to compr s in real-time multi- pectral image 
received concurrently from imager , u ing JPEG2000 lmag ompre ion. The real-
time encryptionldecrypti n features are implem nted on a eparat bo rd call d 
GOLGE, which is mounted on GEZGIN-2 a a daughter-b ard [75]. GOLG 
accommodate in-hou e de igned encryption/de ryption chips for public-k y and 
privat key encryption of image/data stream [76] . 
GOLGE u e two different algorithms for encryption and decrypti n. Fir t ne i th 
public-key RSA (Rive t-Shamir-Adleman) algorithm and nd ne i th private-
key AES (Advanced Encryption Standard) Algorithm. In GOLG the RSA alg rithm 
i u ed to encrypt and decrypt the ession key . The e s ion key ar u d by the 
A crypt module to encrypt and decrypt block data uch a the imag captur d by 
the camera on RASA T. The encryption rat of the A S alg rithm i 160 Mbp at 25 
MHz. It will u e two ASI for encrypti nI d ryption u ing AE and RSA 
60 
Chapter3.Satellite On-Board Encryption 
algorithms are implemented in 0.35~m standard CMOS technology. Having a data 
encryption and decryption throughput of 160 Mbps, GOLGE will encrypt the images 
captured by the cameras on RASAT in real-time. 
3.2.5 RADARSAT-2 
RADARS AT -2 is Canada's next-generation commercial satellite and scheduled for 
launch in the summer of 2007 [77]. RADARSAT-2 has been designed with 
significant and powerful technical advancements which include 3m high-resolution 
imaging, flexibility in selection of polarization, left and right-looking imaging 
options, superior data storage and more precise measurements of spacecraft position 
and attitude. The encryption of this high quality images will be carried out using the 
DES algorithm. 
3.3 On-Board Security Architecture for Earth Observation Small Satellites 
As discussed in section 3.2, only very few EO satellites are equipped with on-board 
security services, in particular only encryption services are used to protect the data 
transmitted to the ground station. Security services such as authentication and data 
integrity, which are required for the overall protection of satellite data, are not 
addressed at present. This has been highlighted in the United States General 
Accounting Office report (GAO-02-781) [4] on mitigating the risk of satellites being 
taken over by unauthorized users. In order to secure the communication between the 
satellite and the ground station, both the uplink and the downlink need to be protected 
[4,5,78]. In addition, similar to secure terrestrial architectures, all security services 
like authentication, integrity and encryption should be used for complete protection of 
the satellite communication links. Key management in satellites also plays a crucial 
role as in terrestrial applications. Possible key management strategies for satellite 
applications are discussed in [107]. 
Figure 3-9 [11] shows a block diagram of the proposed on-board security architecture 
for a small EO satellite. For the sake of simplicity Figure 3-9 includes only the main 
61 
Chapter3.Satellite On-Board Encryption 
connections between the subsystems. The following security blocks are introduced in 
the small satellite block diagram, Figure 3-3, to protect the communication links: an 
authentication and integrity check block, an encryption block and a real-time high-
speed encryption block. 
3.3.1 Security Services (or Uplink Commands 
The uplink or telecommand should be checked for integrity and authentication in 
order to protect the satellite from being taken over by unauthorized people. Thus, 
authentication and integrity block in Figure 3-9 provides protection to the satellite by 
ensuring that the on-board data handling subsystem receive unmodified telecommands 
from authorized ground station. Any telecommands that do not pass the authentication 
process are rejected. To achieve authentication and integrity of telecommand the 
security mechanisms discussed in section 2.1 can be used. For instance, if the 
telecommands are encrypted by the ground station using the secret key of the satellite 
then the successful decryption of the commands by the satellite will itself serve as the 
authentication of the source (ground station). In general the telecommands are 
encoded by the ground station [18]. Hence the successful decoding of commands on-
board the satellite will serve the purpose of integrity check. The telecommands may 
also be encrypted by ground station depending on the level of security required [4]. In 
case of encrypted telecommands are sent to the satellite, they are decrypted on-board 
before being checked for authentication and integrity. 
62 
hapted.Satellite On-Board Encryption 
F1=r 
l.~ 
..... 
BUS 
= 
Solar 
Panels 
Communications 
~ Receiver ~ 
~[ Receiver 1 
GLOW rate 
Transmitter 1 Low rate Transmitter 
Command and 
Data Handling 
r-- -D~~;.yPii~~----l 
: (Optional) : 
--1-- -------l -.r.---' 
r- - ------- -- J : Authentication & , Integrity Check , , 
aBC ~ aBC ~ BUS BUS 
Encryption 
, 
, 
, 
, 
._---.......... -.--, 
Imaging Payload 
L Optical Unit J (Camera) 
[ Mass Memory U~ 
r--------- _ ... -._- ... 
: High-Speed : 
: Encryption : 
1 •• ____ ••• ._._. ____ .' 
IEncoding (FEC) L (Integrity) 
L 
Attitude Propulsion 
Cr;,J L ~~ J 
Navigation 
High rate 
Transmitter 
High rate 
Transmitter 
Figure 3-9 Block Diagram of the Propo ed On-Board ecurity Archite ture 
3.3.2 ecurity ervice for Downlink Data 
Both high rate and low rate downlink of 0 atellite hould be encrypted to protect 
the valuable and en itive data tran mitted to the gr und station. Low rate d wnlink 
f en itive information uch a atellite health and c ntrol informati n 
(attitude and orbit information), on-board voltag and temperature m a ur m nts and 
time tamp . Thu the encryption block in Figur 3- encrypt the low rate telemetry 
downlink. High rate downlink i usually the imaging payload data tor d in th rna 
mem ry unit. In rder to protect the valuable data the high rate downlink need to 
b encrypted. Thu the r aI-tim high- p ed encryption bl ck in Figure 3-9 [11] 
pr tects the high rate d wnlink. For the high rate d wnlink data need to b encrypt d 
on demand by the ground station during th c ntact peri d and th refi r the 
encryption process should be high- p ed to achie e real-time tran mi n. Aloin 
pacecrafts, data will be encoded with forward rror c rrecti n c de befor 
tran mission in order to av id err r during tran mt ion. Th u e fI rward rr r 
63 
Chapter3.Satellite On-Board Encryption 
correction codes to the encrypted data will also serve the purpose of providing the 
integrity. 
3.4 Encryption of SateUite Images 
The encryption algorithms used in present satellite missions are typically proprietary 
algorithms or outdated algorithms like DES, as listed in Table 3-2, rather than using 
the latest encryption standards. The Rijndael algorithm approved as the AES by the 
NIST in October 2000 is being adopted by many organizations across the world. It is 
used across a wide range of platforms ranging from smart cards to big servers. AES is 
gradually emerging as the preferred algorithm in the aerospace industry because of its 
simplicity and flexibility in implementation. The CCSDS is considering 
recommending AES as the standard encryption algorithm for use on satellites. 
Recently, the Turkish satellite RASA T is also planning to use AES for on-board 
encryption. 
3.4.1 Encryption of SateUite Images Using AES Modes 
The encryption and decryption of satellite multispectral images were implemented 
using a software program written using the Java programming language [79]. The 
standard Java language features together with java image UO Application 
Programmer Interface (API) (Version 1.0) have been used to encrypt and decrypt the 
satellite multispectral images. The image UO API package used for reading and 
writing the images are java.lang, java.io and java. uti!. The java programs are 
compiled using the JDKI.4.2 compiler on windos 2000 operating system. The AES 
software implementation is divided into core modules and feedback modules. The 
core modules consist of - ShiftRows, SubBytes, MixColumns and the corresponding 
inverse modules for decryption. The feedback modules consist of encryption and 
decryption routines for ECB, CBC, CFB, OFB and CTR modes. The Sun's Java API 
for JPEG images [79] is used for image encoding and decoding during the encryption 
and decryption process. Multispectral satellite images from SSTL [12] and Internet 
[80] have been employed to demonstrate the satellite image encryption. 
The multispectral satellite image in Figure 3-10 (a) [80] is employed as a test image to 
carry out encryption using the modes of AES. It is found that images encrypted with 
64 
the E B mode reveal pattern in th input data a wn In igur 3- 10 (b) whi h 
make th E B mode insecure. Thi i du to the fact that in the E B m de th m 
plain data input re ult in the same cipher data output. Figur 3-10 () how the 
encrypted image u ing th B, OFB, FB and R mod ,wher n data pattern 
arc revealed [26]. 
(a) (b) 
(c) 
igure 3-10 (a) Plain Image (b) Encrypted Lmage u iog B () ncrypt d Image ing 
B ,OFB, FB& R 
A di cu ed above, Bin t uitable for encrypti n f atellit imag a p tt m 
are observable in the encrypted image. Pre-pr c ing of th f th 
main advantag f th OFB and TR mode . Thi OFB / TR featur c uld nabl 
high- peed and near real-time encryption f data with I pr ing tim and 
computing re ource in satellite. The plain data c uld ju t b XOR- d with th pre-
comput d k y tream to gen r t the n rypt d data wh n th yar to be tr n mitted t 
gr undo However, the torage f the key tream r quir a hug am unt f mem ry, a 
the k y tr am length i equal t the data tream I ngth, which mak ing 
10 FB / TR n t attractive for on-board u e. Th r maining A mod , 
and FB, are al viable pti n fl r n-b ard u e. Th tw m d have id ntical 
characteri ti s except that B i a block cipher m d FB i a tr am 
cipher mode. 
65 
Chapted.Satellite On-Board Encryption 
3.5 Conclusions 
Satellites are classified according to their weight and they are broadly divided as large 
and small satellites. In this chapter, small satellites, in particular EO satellites have 
been discussed in detail. Also brief introduction to small satellite platform and on-
board block diagram has been presented. 
A revIew of on-board encryption architectures, algorithms and servIces used in 
existing satellites has been done and summarised. In this chapter the necessary 
security services required to protect the satellite links are identified and a security 
block diagram for small EO satellites is presented. In order to protect the valuable 
information generated by the sophisticated on-board payloads, the AES algorithm has 
been chosen to perform the encryption of high data rate downlink, which is of the 
order of hundreds of Mbps. 
Also in this chapter analysis of satellite image encryption using popular modes of 
AES such as ECB, CBC, OFB, CFB and CTR is carried out using a purpose-built 
software simulator developed in JAVA. Advantages and disadvantages of each of 
these modes for on-board use is discussed. 
66 
Chapter4.Design Space Exploration o/the AES Algorithm 
Chapter 4 
4 Design Space Exploration of the AES Algorithm 
4.0 Introduction 
A detailed survey of the AES implementations on various platfonns has been carried 
out in Chapter 2 and in Chapter 3 we discussed the encryption of satellite images 
using the AES. This chapter discuses the suitability of the AES for on-board use in 
tenns of high processing speed, small area, power and energy consumption. Various 
implementations of the AES using architectural and algorithmic optimizations have 
been carried out and evaluated. Section 4.1 discusses the suitable platfonn and 
technology for the implementation of the AES for on-board use. Section 4.2 addresses 
the effect of various AES optimization techniques on the throughput, device area and 
power of Static Random Access Memory (SRAM) based FPGA implementations 
targeting the space application domain. 
4.1 AES Implementation: Platform and Technology 
As discussed in Chapter 2, AES has been implemented on a wide variety of platfonns 
for various applications ranging from smart cards to big servers. It has been 
implemented targeting both software and hardware platfonns. Software 
implementations of the AES is carried out using programming languages such as C, 
C++, Java or assembly and executed on a general purpose processor [34,39,40,41,42]. 
In hardware implementations, a dedicated purpose-built processor using ASICs or 
FPGAs has been used. A comprehensive survey of various software and hardware 
implementations have been carried out and summarised in Chapter 2. This section 
addresses the suitable platfonn and technology for the AES implementation to use in 
space applications. 
67 
Chapter4.Design Space Exploration of the AES Algorithm 
4.1.1 Hardware or Software platform? 
In general, cryptographic algorithms are implemented using dedicated hardware to 
achieve a higher speed than the software implementations. The additional 
requirements of smart and sophisticated applications however, demand other 
properties of hardware implementations such as low power, energy and small device 
area. There are two main scenarios where hardware implementations are 
advantageous over software implementations. 
The main advantage of hardware implementations is that they achieve high-speed 
processing compared to software implementations [19]. This is because software 
implementations run on a general purpose processor, which is shared by many other 
applications. Also general purpose processors are designed to execute wide variety of 
applications and it may not necessarily be an optimised platform to execute 
cryptographic algorithms which use specific set of arithmetic operations. On the other 
hand, a dedicated hardware processor will achieve very high speed processing as it is 
designed and allocated for the sole use of certain cryptographic algorithm. Typically, 
a cryptographic processor is used in conjunction with the general purpose processor. 
The cryptographic processor is then responsible for the cryptographic operations in 
order to relieve the main processor to attend the rest of the operations [42]. 
In addition to high-speed processing, present day applications demand low power and 
energy. In sophisticated and smart applications power constraints are highly stringent. 
The advantages of hardware implementations over software are low-power and high 
speed. Hardware implementations are faster and consume less energy and power 
compared to that of software. This is because, as discussed above, dedicated hardware 
specifically is designed to perform a given computation, and is thus can be very 
efficient in terms of area, power and energy consumption. Hence hardware 
implementations of cryptographic algorithms are preferred over software where high 
speed as well as low power processing is needed. 
68 
Chapter4.Design Space Exploration of the AES Algorithm 
4.1.2 FPGA or ASIC? 
As discussed above, there are two common methods in conventional computing for 
execution of algorithms. The first is to use a purpose-built hardwired technology, for 
example an ASIC to perfonn the operations in hardware. ASICs are specifically 
designed to perfonn a given computation, and are thus very efficient. The tenn 
efficient can have several meanings, for instance, the design can be high speed 
processing, or very small or can require only very little power. However, the circuit 
cannot be altered after production. This forces a redesign and remanufacturing of the 
chip if any part ofthe circuit needs to be modified. 
The second method is to use a software-programmed processor or microprocessor, a 
far more flexible solution. Processors execute a set of instructions to perfonn a 
computation. By changing the software instructions, the functionality of the system is 
altered without changing the hardware. The downside of this flexibility is that the 
perfonnance suffers and is far below that of an ASIC. 
Reconfigurable computing intends to fill the gap between hardware and software, 
achieving potentially much higher perfonnance than software, while maintaining a 
higher level of flexibility than hardware. Reconfigurable devices, FPGAs, contain an 
array of computational elements whose functionality is determined through multiple 
programmable configuration bits. These elements, the so-called logic blocks, are 
connected using a set of routing resources that are also programmable. Synthesis and 
implementation tools allow the high level description of a design to be translated into 
the programming language for an FPGA. The reconfigurability of FPGAs offers 
several advantages when using them for cryptographic applications. Some of the 
main advantages are described below [22,88]. 
Algorithm Agility: This term refers to switching the cryptographic algorithms during 
operation of the targeted application, in our case spacecraft. One can observe that the 
majority of modem security protocols, such as SSL or IPsec, are algorithm 
independent and allow for multiple encryption algorithms. The encryption algorithm 
is negotiated on a per-session basis and a wide variety may be required. 
69 
Chapter4.Design Space Exploration of the AES Algorithm 
Algorithm Upload: Using FPGAs it is possible to upgrade with a new encryption 
algorithm. A new cryptographic algorithm upload can be necessary because of the 
reason such as current algorithm was broken, a new standard was created and/or that 
the list of ciphers in an algorithm independent protocol was extended. FPGA based 
encryption devices can upload the new configuration code. Notice that the upgrade of 
ASIC based implemented algorithms is practically infeasible if the systems are not 
easily accessible, for instance in satellites. 
Throughput rate: Although typically slower than ASIC implementations, FPGA 
implementations have the potential of running substantially faster than software 
implementations. 
Cost Efficiency: There are two cost factors that have to be taken into consideration, 
when analyzing the cost efficiency of FPGAs: cost of development and unit prices. 
The costs to develop an FPGA implementation of a given algorithm are much lower 
than for an ASIC implementation, because one is actually able to use the given 
structure of the FPGA (e.g. look-up table) and one can test the reconfigured chip 
endless times without any further costs. This results in a shorter time-to-market 
period, which is nowadays an important cost factor. The unit prices are not so 
significant when comparing them with the development costs. However, for high-
volume applications, ASIC solutions are the more cost-efficient choice. 
4.1.3 Antifuse or SRAM FPGAs? 
As discussed above, FPGA technology offers number of advantages including a 
highly compact solution, high integrity, flexibility, reduced cost, faster and cheaper 
prototyping and reduced time to market. The capacity and performance of FPGAs 
suitable for space flight applications have been steadily increasing for more than a 
decade. The application of FPGAs has moved from simple glue logic to complete 
platforms that combine several real-time system functions on a single chip. FPGAs 
can be split into two categories namely re-programmable and one time programmable 
(OTP). In an antifuse programmable device, special "anti-fuses" are included at each 
customisation point. These OTP FPGAs use antifuse for storing its configuration, 
either using oxide-nitride-oxide (ONO) or metal-to-metal (M2M) antifuse structures. 
70 
Chapter4.Design Space Exploration of the AES Algorithm 
Anti-fuse FPGAs and high reliability/military products are widely used as 
components for satellite on-board processing. 
The other category FPGAs are re-programmable FPGAs. Reprogrammable 
technology offers volatile SRAM or non-volatile EEPROMIFlash cells to hold the 
device configuration. SRAM based technology is evolving at a faster pace than OTP 
technology, and now features a million system gates or more on a single chip, and 
hence has become an attractive choice for high performance applications. The SRAM 
bits are connected to configuration points in the FPGA, and programming the SRAM 
bits configures the FPGA. Thus, these chips can be programmed and reprogrammed 
as easily as a standard static RAM. The methods to program or re-programme these 
FPGA are called run-time reconfiguration and partial reconfiguration [71,82]. 
Run-time (or dynamic) reconfiguration is used to swap different configurations in and 
out of the reconfigurable hardware as they are required during program execution. 
Partial run-time reconfiguration allows that part of the reconfigurable device is 
modified while the rest of the device is still on operation. Partial run-time 
reconfiguration is also called dynamic partial reconfiguration or active partial 
reconfiguration. Currently available partial run-time reconfigurable FPGA devices 
are: the Xilinx VirtexlEl2/2 Pro/4 families, the Atmel AT40K family, the Lattice 
Semiconductors ORCA2/3/4 and ispXPGA families. They are all SRAM-based 
FPGAs. However, Xilinx FPGAs have the largest capacity compared to others. The 
use of SRAM-Based FPGA, combined with reconfigurable computing technology, is 
very promising in space applications. In this research, to reduce the initial cost during 
the proof-of-concept stage, our FPGA designs will target to one particular device of 
the Xilinx Virtex 2 family FPGAs. The next section will review the Virtex series 
FPGAs' architecture. 
4.1.4 Structure ofSRAM Based FPGAs 
This section discusses Virtex 2 Xilinx family FPGAs, one of the most widely used 
FPGA families. Xilinx FPGAs consist of liD blocks (lOB), internal configurable 
logic and programmable routing matrix as shown in Figure 4-1 [22]. The internal 
71 
hapter4.Design Space Exploration oflhe AES Algorithm 
configurable logic includ four major element organized in a r gular array. They are 
LBs, BRAM, Multiplier blocks and D Mad cribed bel w. 
• onfigurable Logic Block (LB) pr ide functional element for 
combinational and ynchronou I gic including ba ic torage element . 
• Block SelectRAM memory module provide large I Kbit torag el m nt of 
dual-port RAM. 
• Multiplier bl ck for dedicated multiplier . 
DCM (Digital lock Manager). This bl ck provide elf-calibrating, fully 
digital solution for clock di tribution delay c mpensation, clock 
multiplication and divi ion etc. 
. 
. 
. 
. 
. 
. 
. 
. 
. 
. 
. 
. 
. 
Mill 
D~~DDDD~~DD  D  D DDDD DD 
D DDDD DD 
D DDDD DD 
D DDDD DO 
o DOD DO 
..... ....... .. -_ ...... IllodRAM 
Figure 4-1 tructure of Hin irte. 2 FPC 
The Xilinx Virtex 2 FPGAs con ist f an array of LB. Th FPGA 2Vl0 ha 
a size of 40 X 32 (= 1280). The CLBs pr vide functional elem nt for c mbinat rial 
and synchronou I gic. Each LB in lude four identical lic (12 0 X 4 = 5120 
lice ). Each slice c ntain 
• Two 4-input functi n generat r (5120 X 2 = 10 240 functi n g nerator ) 
• arry Logic 
• Arithmetic I gic gate 
• Multiplexer and 
• Two storage elements (5120 X 2 = 10240 t rage element) 
72 
Chapter4.Design Space Exploration of the AES Algorithm 
Each 4-input function generator is programmable as a 4-input LUT, 16 bits of 
distributed SelectRAM memory, or a 16-bit variable-tap shift register as shown in 
Figure 4-2 [22]. Input/output blocks (lOBs) encircle the CLB array. Each lOB can be 
used as single-ended input and/or output. In addition to CLBs and lOB the FPGA has 
some other components. There are digital clock managers, 18-bit x 18-bit multipliers 
and Block RAM. All components are linked together via the global routing matrix. 
~'" 
........ 
MUXFa ~ 
~ I Reu~r I 
...•........ 
........... 
'''r---r----.:.t, 
.... :D- ~ 
RAM 1. """ ""'" MUX .. 
~-r----I,.. '. f7vl 
........ SRL 1&. L:..:J 
" " 
IReu_1 
L~T··· ........ . 
:D- Arithmetic Logic 
Figure 4-1 SUce of Virtu 1 FPGA 
The CLBs are interconnected through a general routing matrix (GRM) that comprises 
an array of routing switches located at the intersections of horizontal and vertical 
routing channels. The Xilinx Virtex 2 matrix also has 40 dedicated memory blocks 
called block RAM (BRAM) of 18 Kbits bits each, clock DLLs for clock-distribution 
delay compensation and clock domain control, and two tri state buffers (BUFT) 
associated with each eLB. 
4.1.5 Suitable Platform for the Implementation of AES for On-Board Use 
A typical EO small satellite has weight of approximately 100 kg and the orbit average 
power generated by solar panels is 30 to 60 W [2]. The imaging payload units of such 
satellites comprise imagers, mass memory and high-rate data transceivers and 
73 
Chapter4.Design Space Exploration of the AES Algorithm 
consume up to 70% of the average orbit power. For example, the recently launched 
small EO satellite TopSat [12] has a weight of 110 kg with average orbit power of 
55 W. The capacity of the memory data recorders of TopSat is I Gbytes and the 
down-link transmission rate through X-band is 25 Mbps. 
But the demand to improve monitoring of the Earth's resources and its dynamic 
processes drives scientists to require high spatial and high-resolution images from 
Earth-orbiting satellites. In [87], the authors projected that the demand for data rates 
might be as high as 1 Gbps by 201 O. To protect these huge amounts of valuable data 
during transmission to ground, high-speed on-board encryption using the latest 
encryption algorithms like AES needs to be carried out. In order to meet this 
requirement, hardware implementation of the AES should be considered. 
Advantages of SRAM-based FPGAs such as flexibility of design, shorter time-to-
market, lower cost, remote configurability etc., make them particularly suitable for 
use in small satellite on-board systems. 
4.1.6 Overview of the Radiation Environment and Effects on Integrated Circuits 
The space environment is significantly different from the terrestrial environment. The 
lack of atmospheric protection increases the incident radiation on satellite electronic 
components. Satellite electronic systems include a large variety of analog and digital 
components that are potentially sensitive to radiation and must be protected or at least 
qualified for space operation. The interaction of such radiation with electronic devices 
can cause failure, degradation or malfunctioning in their perfonnance [24]. 
There are three primary radiation components of the natural space environment affect 
electronic devices. Firstly, planetary magnetic fields trap belts of high-energy protons 
and electrons, thus subjecting satellites to large fluxes of these particles when they 
pass through the radiation belts. Second, galactic cosmic rays, highly energetic 
particles, exist in space. Third, solar flares produce varying quantities of electrons, 
protons, and lower energy charged particles. Solar flare activity varies widely at 
different times. During periods of high solar activity, very high fluxes of particles may 
occur over time periods of hours or days. In low earth orbit (LEO), the main radiation 
74 
Chapter4.Design Space Exploration of the AES Algorithm 
source comes from electrons and protons and in geo-stationary earth orbit (GEO); the 
primary source comes from electrons and solar flares. Hence the impact of radiation 
on on-board semiconductor devices depends on orbit altitude, orientation, and time 
[82]. 
The total ionizing dose (TID), refers to the amount of energy that ionization processes 
create and deposit in a material (such as semiconductor or insulator), when energized 
particles pass through it, causing ionization. TID, mostly due to electrons and protons, 
can result in device failure. TID is measured in terms of the absorbed dose, which is a 
measure of the energy absorbed by matter. Absorbed dose is quantified using either a 
unit called the rad (an acronym for Radiation Absorbed Dose) or the SI unit which is 
the gray (Oy). In the space environment, the total ionizing dose can cause device 
failure. Satellites typically encounter TID between 10 krad(Si) and 100 krad(Si) . 
Many current COTS parts are very susceptible to total dose damage, and may fail at 
total-dose of 5 krad(Si) or even less. Total dose is therefore an issue in spaceflight 
where long mission lifetimes, and/or exposure to the high doses of radiation means 
that these dose levels can be easily exceeded [71,82]. TID effects may be mitigated 
using radiation hardened devices and shielding. Electrons and low energy protons can 
be partially mitigated with shielding. Radiation hardening is achieved at different 
levels starting from process level, cell level to gate level etc. In addition today's 
technology is moving towards smaller feature size devices i.e. scaling. As feature size 
decrease, charge trap become less significant, leading to a trend toward improved 
total-ionising dose performance. However, whilst TID effects are becoming less of an 
issue, new threats have emerged. 
A Single Event Effect (SEE) is the main concern in space, with potentially serious 
consequences for the application, including loss of information and functional failure. 
SEE occurs when charged particles hit the silicon transferring enough energy in order 
to provoke a fault in the system. SEE can have a destructive or transient effect, 
according to the amount of energy deposited by the charged particles and location of 
the strike in the device. Single Event Latchup (SEL), type of SEE effect, is a 
condition which causes loss of device functionality due to a single event induced high 
current state. Normally, SEL is measured by linear energy transfer (LET) which is a 
75 
Chapter4.Design Space Exploration of the AES Algorithm 
measure of the energy deposited per unit length as an energetic particle travels 
through a material. The main consequences of the transient effect, also called Single 
Event Upset (SEU), are bit flips in the memory elements [82]. SEU has been 
constantly magnified in the past years, caused by the continuous technology evolution 
that has led to more complex architectures, with a large amount of embedded 
memories, followed by an amazing scaling down process of transistor dimensions. 
The fabrication technology process of semiconductor components is in continuous 
evolution in terms of transistor geometry shrinking, power supply, speed and logic 
density. As stated in [81], drastic device shrinking, power supply reduction and 
increasing operating speeds significantly reduce the noise margins and thus the 
reliability that ICs face from the variance of internal sources of noise. 
The fabrication process is now approaching a point where it will be unfeasible to 
produce ICs that are free from upset effects. A more significant problem is related to 
SEU. The necessity to protect integrated circuits against upsets has become more and 
more eminent. Experiments presented in [81] indicate that neutron particles present in 
the atmosphere are capable of producing SEU in avionics. Recent studies also show 
that memory cells composed of transistors with channel length smaller than 0.25 JIm 
and combinational logic composed of transistors with length smaller than 0.13 JIm 
may be subject to upsets while operating in space environment or at sea level. 
Terrestrial applications that are determined as critical such as bank servers, 
telecommunication servers and avionics are more and more considering the use of 
fault-tolerant techniques to ensure reliability. 
The space market interest of using COTS and military devices in space applications 
and the constant increase in the radiation sensitivity of integrated circuits driven by 
the process scaling, have brought the necessity of researching fault-tolerating 
techniques for ICs able to cope with the radiation effects at sea level, and also 
qualifying the design for space applications [82]. Based on the definition of fault-
tolerance, the goal is to maintain the IC operating correctly despite the existence of 
upsets. Although many techniques have been developed in the last few years 
attempting to avoid SEU, efficient fault-tolerant solutions are still a challenge for the 
76 
Chapter4.Design Space Exploration of the AES Algorithm 
next generation semiconductor industry, especially because of the complexity of the 
new architectures. 
4.1.7 Radiation Effects in SRAM Based FPGA 
When an FPGA is used in space, the effects of radiation must be considered and 
accounted for. The lack of atmospheric protection increases the incident radiation, 
which can produce soft and hard circuit faults. The advantages of using SRAM-based 
FPGAs for space applications have been discussed in section 4.1.3. As 
reprogrammable technology has been evolving at a rapid pace, a number of mitigation 
techniques have been proposed to cope with radiation issues. 
The Virtex family from Xilinx is one of the most popular SRAM-based 
programmable devices used in the market nowadays, because of its high density and 
high-performance. It supports a wide range of configurable gates, from 50,000 to 
more than 6 million gates.. As discussed in Section 4.1.4, the Virtex architecture 
consists of a flexible and regular matrix composed of an array of eLBs surrounded by 
programmable inout and output blocks (lOB), all interconnected by a large hierarchy 
of fast and versatile routing resources. Virtex components are programmed by loading 
a configuration bitstream into the FPGA [81]. The device functionality can be 
changed anytime by loading in a new bitstream. The bitstream is divided into frames 
and it contains all the information to configure the programmable storage elements in 
the matrix located in the look-up tables (LUT) and flip-flops, eLBs configuration 
cells and interconnections and embedded memories. All these bits are potentially 
sensitive to SEUs. 
4.1.8 Fault-Tolerant Approaches for SRAM Based FPGA Design 
There are two ways to implement fault-tolerant circuits in SRAM-based FPGAs, as 
shown in Figure 4-3 [81]. The first possibility is to design a new FPGA matrix 
composed of fault-tolerant elements. These new elements can replace the old ones in 
the same architecture topology or a new architecture can be developed in order to 
improve robustness. The cost of these two approaches in very high and it can differ 
according to the development time, number of engineers required to perfonn the task 
77 
and the foundry technol gy u ed. Anoth r p ibility i t prot t the high-I v I 
de cription by using ome ort of r dundan y, targ ting the P A archit tur . In thi 
way it is po sible to u e a commercial FPGA part t impl m nt th de ign and the 
S U mitigation technique i applied t th de ign de cripti n b Ii r the d cription i 
synthe ized in the FPGA. The cost of thi appr a h i Ie c mpared to the previ u 
one because, in thi ca e, the u er i re p n ibl fi r pr tecting hi !her wn d ign and 
the olution doe not require new chip d v lopm nt and fabri ation. In thi way the 
user has the flexibility of ch 0 ing th fault-tolerant techniqu and c n qu ntly the 
overhead in term f area, p rformanc and p wer di ipati n. 
For a given digital circuit described in a 
high-level description language 
,. 
How to implement a fault-tolerant digital 
circuit in SRAM-based FPGA? 
,. 
Designing a new FPGA 
matrix composed of fault 
tolerant elements by: 
,. 
,. ,. 
,. 
Replacing elements 
in the same 
architecture topology 
Developing a 
new architecture 
topology 
SEU Hardened 
SRAM-based 
FPGA 
Figure 4-3 Fault Tolerant pproache 
,. 
Protecting the circuit 
description by redundancy, 
targeting the FPGA 
architecture 
,. 
,. ,. 
Full hardware 
redundancy 
Combination of 
hardware and 
time redundancy 
Commercial 
SRAM-based 
FPGA 
d in RAM 8a d P D ign 
4.1.9 EU Miti ation Techniques in RAM Ba ed P 
In 2003, Xilinx released it third erie f r diati n hard n d P - the QPro 
Virtex 2. The capacity of the largest FPGA f thi family i up t 6 million y tern 
gate . The space-r lated featur of th Xilinx Pr Virt x and Virt x 2 r diation 
harden d FPGAs are summariz d from Xilinx data h t and an b found t [22]. 
7 
Chapter4.Design Space Exploration of the AES Algorithm 
TIDs of the Xilinx QPro Virtex and Virtex 2 FPGAs are lOOk and 200 krad(Si) 
respectively, which indicates that they are very tolerant to total ionizing dose. From 
the data sheets [22], it is concluded that both the QPro Virtex and Virtex 2 FPGAs are 
latch-up immune. The SEL immunity of the QPro Virtex 2 can reach to LET = 160 
MeV·cm2/mg. 
As discussed above, the two main categories of radiation effects are TID and SEEs. 
Regarding to SRAM-based FPGAs, there are two types of SEEs - SELs and SEUs. 
Test results of TID and SEL for the radiation-tolerant Virtex FPGAs show that these 
devices have excellent TID and SEL perfonnance satisfying the requirements for use 
in space [22,77]. However, these radiation-tolerant FPGAs are still sensitive to SEUs. 
SEUs in the Virtex FPGAs can be grouped into three categories [81]: configuration 
upsets, user logic upsets and architectural upsets or SEFIs (Table 4-1). 
Table 4-1 Types ofSEU Upsets in SRAM Based FPGAs 
Upset Modes Damale Objects Detection 
Configuration Configuration memory Readback 
Upsets 
User Logic BlockRAM Not feasible 
Upsets CLB Flip-Flops (CLB-FF) 
110 Block Flip-Flop (IOB-FF) 
Architectural Controlelements of the FPGAs Indirectly 
Upsets (e.g. configuration circuits, reset measurement 
control) 
4.1.9.1 SEU Mitigation for Configuration Upset 
Readback and partial reconfiguration of the Virtex series FPGAs allow a system to 
detect and repair SEUs in the configuration memory without disrupting its operation 
or completely reconfiguring the FPGA. This feature facilitates two simple techniques 
for maintaining coherency of the bitstream and correcting the configuration upsets -
Partial Reconfiguration and Scubbing. Only the SelectMap and JT AG modes support 
partial reconfiguration of the Virtex FPGAs. Investigations by Xilinx have shown that 
partial reconfiguration in Virtex can be used for the purpose of correcting SEUs to the 
configuration memory array induced by cosmic rays [71,81,86]. Another efficient 
79 
Chapter4.Design Space Exploration of the AES Algorithm 
method of SEU correction is Scrubbing. Scrubbing is a much simpler correction 
method, which omits readback and detection and simply reloads the configuration at a 
chosen interval. Scrubbing simply rewrites the device bitstream, so the time to repair 
an error is the scrub cycle time. The cycle time can be on the order of a few 
milliseconds and varies with device density. Continuous readback in conjunction with 
a detection algorithm (bit compare, CRC, etc) provides data on upsets encountered, 
time, and frequency. Partial reconfiguration repairs any section of the device where an 
error is detected. 
4.1.9.2 SEU Mitigation for User Logic Upsets 
The user logic contains elements not directly available in the bitstream for the purpose 
of upset detection. The data for the user logic in the bitstream are subject to changes 
in the normal function of the user-implemented logic. These include BlockRAM, 
CLB-FF and I10B-FF. This kind of upset is not feasible to be detected because the 
state of each bit needs to be known a priory, and data in these locations change state 
in the normal function of the user implemented logic. To mitigate the user logic upsets 
mitigation techniques such as Triple Modular Redundancy (TMR) is necessary, which 
will be discussed in the next section. 
4.1.9.3 SEU Mitigation for Architectural Upsets 
Single Event Functional Interrupts (SEFIs) are architectural upsets incurred in the 
control elements of the FPGAs. It only can be detected through a unique fault 
"signature" [82]. The typical SEFls are Power-On Reset (POR) upsets and the JT AG 
tap controller upset. POR upsets would re-initialise the FPGA. Fortunately, the 
probabilities of upsets to POR are small - on the order of one POR upset per 85.6 
years in LEO [111]. The probabilities of upsets to the JTAG tap controller are even 
lower than POR - 1 upset > 700 years. The only way to completely eliminate the 
effect of SEFls is to use hardware redundancy. 
4.1.10 Redundancy Methods for SEU Mitigation 
The traditional method for SEU mitigation is Triple Redundancy (TR) with voting, 
including TMR and Triple Device Redundancy (TOR). TMR is to replicate redundant 
instances of an entire module and mitigate the final outputs of the modules (Figure 4-
80 
Chapter4.Design Space Exploration oj the AES Algorithm 
4 (a». TDR is to use triple FPGA devices (Figure 4-4 (b» [111]. Using TMR to the 
gate level is also necessary to protect the user logic on the gate level. Xilinx offers a 
TMR tool, which can work with any hardware description language (HDL) and any 
synthesis tool to automatically build TMR, called Xilinx triple modular redundancy 
(XTMR), technology into any Xilinx FPGA design. 
r-----------------------------.----~ 
Module ~~;;:==== ~ 
Output (0-2) -- -V 
~ 
L----t-++----
(8) 
FPGA 
---. Output 0 
(b) 
MltIptIon 
Device 
Figure 4-4 Triple Redundancy Mitigation <a) Triple Modular Redundancy (TMR) (b) Triple 
Device Redundancy (TDR) 
The SEE consortium was founded in 2002 by the JPL and Xilinx to evaluate re-
configurable FPGAs for aerospace applications. This consortium has enlarged to 14 
members up to now, including the Aerospace Corporation, Air Force Research 
Laboratory, Lockheed Martin, Los Alamos National Lab, etc. The investigation shows 
that the combination of TMR and scrubbing is the most reliable and effective SEU 
mitigation method for the Xilinx Virtex and Virtex 2 devices [112]. 
The obvious disadvantage ofTMR is the limitation on the design size (less than 113 of 
the total device). However, the latest Xilinx FPGAs have grown to densities of 15 
million gates, which make it possible to implement the complex SOC design. Xilinx 
has implemented four PowerPC 405 processors into the Virtex 2 FPGA fabric and 
embedding high-speed multi-gigabit serial 1I0s around it. Meanwhile, the radiation-
hardened QPro FPGAs' density can reach 6 million gates. Although TMR has the 
highest reliability for filtering single and multiple event upsets, this is also the most 
costly solution, which is in contradiction with the design concept of small 
satellite.SEU mitigation is an aspect taken into account when the SRAM-Based 
FPGAs are used in space. The discussion on SEU mitigation is taken into account in 
Chapter 5. 
81 
Chapter4.Design Space Exploration of the AES Algorithm 
4.2 FPGA Development Tools & Flow 
This section discusses the flow and the tools used in the FPGA implementations of the 
AES algorithm. The implementation flow diagram is shown in Figure 4-5. Hardware 
Descriptive Language (HDL) is used for the behavioural description of the AES 
algorithm. 
ModelSim 
ModelSim is a well-engineered logic simulator from Mentor Graphics for the 
simulation of hardware designs written in VHDL, Verilog or SystemC or mixture of 
these three languages [89]. It compiles the sources and simulates them. Modelsim is 
used for the simulation of the HDL design. The HDL designs were tested using the 
test vectors. Once the simulations are verified and running as expected then synthesis 
of the design is carried out. During this research ModelSim SE V6.0 was used. 
Synplify 
Synplify from Synplicity is a synthesis tool that generates gate-level netlist for the 
specified target FPGA from the VHDUVerilog design source files [90]. The netlist 
can be optimized under various constraints, such as minimum area or maximum 
possible clock frequency. HDL based behavioral descriptions usually serve as an 
input format for the synthesis process. Further more this tool creates schematics of the 
design on RTL level or on logic level. In this project Synplify V 7.7 was used. 
XilinxISE 
Xilinx ISE is a software environment with many tools to provide all steps of the 
hardware design from editing the sources up to download the design into a Xilinx' s 
FPGA. User constraints such as frequency of operation, area requirements can be set 
before starting the implementation flow [22]. Design implementation is the process of 
translating, mapping, placing, routing and generating a bitstream file for the design. 
At each point of the design flow it can create a simulation model of the design. This 
simulation file can be verified using Modelsim. Xilinx ISE 8.1 was used during this 
project. 
82 
Chapter4.Design Space Exploration o/the AES Algorithm 
XPower 
Xilinx XPower tool was used for power estimation. Power was measured USIng 
XPower tool from Xilinx ISE package. XPower tool is provided in ISE packages of 
version 4.1 and above [91]. 
4.2.1 Hardware Design Flow 
Synthesis and 
Optimization 
(Synplify) 
Gate Level Netlist 
Download to FPGA 
Post Translate 
Simulation Model 
Post Map 
Simulation Model 
Post Place & Route 
Simulation Model 
+ SDF File 
Physical Constraint 
File(.pcf)+ Post Route 
Netlist (.ncd) 
PostP&R 
Simulations Timing ~ __ ---.J 
Simulations 
(Modelsim) 
Value Change Dump 
(.vcd) file 
,.---~----'-....... 
Power AnalysiS 
(X Power) 
Figure 4-5 FPGA Design Implementation Flow 
Figure 4-5 gives an overview about the steps of the hardware design flow. AES 
implementations were written using the Verilog HOL language and Modelsim was 
used for the functional simulation of the design. The HDL designs are tested 
extensively using the Known Answer Test (KAT) and Monte Carlo Test (MCT) 
vectors described by NIST (19,21]. Once the design verification is over the next step 
is synthesis. Synplify is used for synthesis which converts the HOL design to a netlist 
for a target FPGA. Here the design can be constrained for area or timing. A simulation 
file is created after the synthesis and is verified using the Modelsim, again using the 
KAT & MCT test vectors. After the successful completion of this step, 
implementation is carried out using the Xilinx ISE. It takes the net1ist, which is 
83 
Chapter4.Design Space Exploration of the AES Algorithm 
created by synthesizing the design as one input and area and timing constraints as 
another input. Xilinx ISE maps, places and routes the design and generates a bit file 
for the HDL design which will used to configure the FPGA. The static timing analysis 
checks the design after the place and route against the user defined timing constraints. 
As the final simulation step, dynamic timing simulations are carried out. Place and 
route design phase creates a HDL simulation model of the design along with a data 
base (Standard Delay Format - SDF) that contains the timing information of the 
routed design. This HDL simulation model with the timing database can be simulated 
in the Modelsim. The timing simulation verifies that the design runs with the desired 
speed on the target device. At each step, during the implementation flow, a simulation 
file is created by the ISE and it is used in Modelsim for the verification of the design 
using again the KAT & MCT test benches. 
The XPower tool works on the principle of 'activity rates' or 'toggle rates'. Activity 
rates are defined as the rate at which a net or logic element capacitance switches. For 
dynamic power calculation and display, activity rates are expressed as a function of 
frequency. An activity rate may be relative to a clock, in that the net or logic element 
switches at some percentage of the clock frequency. This is often referred to as toggle 
rate. Expressed as a percentage, an activity rate of 100% means a signal state change 
happens on average once every clock cycle with the resultant frequency being half the 
associated clock. For nets and logic that are not synchronized with a clock, the 
activity rate is just the switching rate. In order for XPower to be able to determine the 
power consumption of a given design, every net in the design must have an activity 
rate assigned to it. The activity rate is assigned using a Value Change Oump (VCO) 
file generated after back annotated simulations as shown in Figure 4-5. Inputs to 
XPower tool are the Post route netlist (NCO), the Physical Constraint File (PCF) and 
the VCD file. PCF file includes both the physical constraints created by the mapper 
and physical constraints entered by the user. XPower uses the VCO file to set toggle 
rates and frequencies of all the signals in the design to estimate power consumption. 
As the last step in the design flow the design can be downloaded into the target FPGA 
and finally the design can be tested under typical operating conditions. 
84 
Chapter4.Design Space Exploration of the AES Algorithm 
4.2.2 Design Parameters 
The design parameters, which are used in the evaluation of the FPGA 
implementations, such as throughput, power, area and latency are briefly discussed in 
this section. 
Power 
The total power consumption of a CMOS circuit is the sum of static and dynamic 
power consumption. The static power consumption caused by the leakage current, 
mainly depends on the size of the chip. It is very small and can be more or less 
ignored here. The dynamic power consumption consists of loading and unloading the 
total capacitance (Cd of the chip. Equation 4-1 [88] presents the influences on 
dynamic power consumption. The design measures for lowering the power 
consumption result from minimizing the factors in this equation. 
(4-1) 
where CL is the load capacitance, Voo is the supply voltage, feLKeft'is the effective 
clock frequency of the design, Esw is the switching probability or activity of the design 
nets. The load capacitance on the chip CL incre~ses as more gates are placed on the 
die. This means that lowering the die size as well as reducing the supply voltage (Voo) 
to a minimum directly reduces power consumption. These two coefficients are 
somehow predetermined by the low die-size constraint and the operating conditions of 
the chip. Assuming a fixed supply voltage, the best option for a low-power design is 
reducing the effective clock frequency feLKeft' of the circuit. It reduces the power 
consumption linearly [92]. 
The switching activity Esw of the circuit can be reduced by using a method called 
sleep logic. Whenever the output of a combinational circuit is not needed changes of 
the input data will nevertheless cause switching activity and hence power 
consumption inside the module although the computed data is not needed. In order to 
prevent this undesired switching activity the inputs of the combinational circuit are 
masked using AND gates. A sleep signal that disables the AND gates prevents all 
8S 
Chapter4.Design Space Exploration of the AES Algorithm 
switching activities of the combinational logic behind the gate because the input is 
constantly zero. 
Energy 
Energy consumption is calculated using (4-2). Energy consumed during encryption is 
calculated by multiplying the total power consumption with the simulation time. 
Energy = power * time (4-2) 
Throughput 
Throughput of the AES implementations is calculated using the following expression: 
Throughput = (128/ n) *.11 (4-3) 
where n is the number of clock cycles required to encrypt 128-bit data block and f is 
the frequency of operation. 
Latency 
Latency of AES implementations is measured in tenns of number of clock cycles. 
Latency is the delay, in clock cycles, between sending a command to start encryption 
and the moment the first piece of encrypted data is available on the output. 
4.3 Characterisation of FPGA-based AES Implementations 
In present FPGA implementations researchers have thoroughly investigated the effect 
of various optimization techniques on throughput and device area. In addition to 
throughput and area, power consumption is a critical parameter for satellite 
applications. This section explores the throughput, power and area trade-offs of AES 
implementations targeting SRAM-based FPGAs by exploiting the algorithmic and 
architectural optimization techniques outlined in sections 2.6.1 and 2.6.2. 
86 
Chapter4.Design Space Exploration of the AES Algorithm 
4.3.1 AES Implementations Using Algorithmic Optimizations 
Three AES designs, which are based on the algorithmic optimization Options 1, 2 & 3 
(Table 2-5) are used in the experimental work. The designs are realized using three 
different intellectual property (lP) soft cores written in the Veri log hardware 
description language (HDL) as follows: 
Optionl - An existing open-source AES IP core (AES (Rijndael) Core) is used for the 
FPGA implementation and power measurements for Option 1 as it uses an LUT 
approach for the SubBytes transformation and a non-LUT approach for the 
MixColumns transformation. The core is provided at the OPENCORES website [93]. 
The top level block diagram of Option 1 encryption core is shown in Figure 4-6 and 
the encryption data path is shown in Figure 4-7. The primary inputs to the encryption 
data path are 128 bit input data and the key and output is 128-bit encrypted data. 
Input clock, reset signals are used by the control logic. The input data and the key are 
loaded into the input registers when the load signal is asserted. Once the encryption is 
completed the control circuitry will assert the done signal. 
1; 
elk / 
1; 1; 
~ 
reset / / done 
1; ~ 
AES Encrytion load / 
/ ~ Core 
/ ~ / v 
128 -bit key / v 128-bit 
/ 
" 
output data / 
I v 
128-bit 
input data 
Figure 4-6 Bloek Diagram of the AES Enerypdon Core 
87 
Input data 
128i bits I • 
128 -bit 
Input key 
128 -bits 
Sub 
Bytes 
Sub 
Word 
Figure 4-7 Data Path of Option 1 
Shift 
Rows 
Rot 
Word 
Mix 
Columns 
RCon 
128 -bit 
encrypted 
out ut 
128 -bit 
expanded 
key 
, 
Previous Round 
Key 
ncr ption or · 
A di cu ed in S ti n 2.3.1, th 12 -bit input data i gr up dint 16 byt and 
arranged into 4 x 4 matrix call d a tate matrix. t th tart f n rypti n wh n 1 ad 
signal i a erted, during the initial r und th input tate matrix i R d with th 
input key. The input multiplexer i u d to Ie t ith r the initial tat matrix r th 
sub equent tran fonna d round matrix. Th who I pr 
rounds of tran fonnati n arc completed. Th input regi t r i u k p the 
tran fonned tate after every round of perati n. In a h r und, SubBytes, 
ShiflRows, Mix olumns and AddRoundKey tran fi nnati n ar cam d ut n the 
state matrix. The final round d n't hav the Mi 
input key 1 
KeyE pan ion 
expanded t 
algorithm 
generate the appr priat 
as di cu ed in 2.3.2. pan i n 
tran fonnations uch a ub Word, RotWord, R on ar u d t th 
intermediate round key for the initial and each fth lOr und fth A 
Option2 - The Opti n2 core i al an 
from the P N ORE web it [3]. Thi 
12 -bit A core), 
ntir Iy b d n 
combinational logic, a it and 
MixColumns transformations. The block diagram for th n n-LUT ppr a h f 
Subbytes and Mix olumns can be found at [110] and ar de crib d at App ndi 
I 
l 
Chapter4.Design Space Exploration of the AES Algorithm 
Option3 - The Option3 core is developed in-house and is based on a look-up table 
implementation of both the SubByles and MixColumns transformations. This core is 
written in Verilog HDL and the simulation tools used for the FPGA implementation 
flow are Modelsim, Synplify and Xilinx ISE. The data path of AES encryption 
algorithm is shown in Figure 4-8. Both the SubByles and MixColumns transformations 
are implemented using the T-Box and S-Box look-up tables. 
Input data 
128-b s 
128 -bit 
Input key 
Shift 
Rows 
SubBytes+ 
128 -bit 
encrypted 
output 
MixColumns t---+,~----r-. (S-Box & T-
Box) 
128 -bit 
expanded 
key 
Figure 4-8 AES Data Path of the Opdon3 AES Core 
4.3.2 Effect of Algorithmic Optimization 
To study the effect of algorithmic optimizations on throughput, power and area, the 
three AES IP cores, Optionl, 2 & 3, have been implemented on XC2Vl000, Xilinx 
Virtex 2 family FPGA. All the three options have been implemented using the FPGA 
implementation flow described in section 4.2 and throughput, area, power & energy 
consumption estimations have been carried out based on the back-annotated 
simulations. Table 4-2 lists throughput, dynamic and total power consumption at 2S 
MHz frequency of operation. The device utilization is listed as percentage of the total 
available 5120 slices and 40 block RAMs (BRAM). Table 4-2 aJso presents the 
estimated execution time and energy required to encrypt the test image which is 
shown in Figure 3-10 (a). The image has 871(W) x 868 (H) pixels and each pixel is of 
24 bits, representing three spectral bands with 8 bits per band. Thus, the number of 
128-bit blocks for this image is 141755. Plots 4-9 and 4-10 show the throughput and 
power consumption respectively, for all the three IP cores at different frequencies. All 
the plots have been extended until the f max, maximum frequency of operation, of their 
respective Options. FPGA resources utilized by these implementations are plotted in 
Figure 4-11. In all these three Options, key scheduling has been carried out on-line. 
89 
Chapter4.Design Space Exploration of the AES Algorithm 
From Table 4-2, we can observe that Option I & 3 are delivering similar throughput of 
267 Mbps whereas Option2 is delivering just 25 Mbps. This is because Option2 is 
implemented using 8-bit architecture for data path and operates on a single state byte 
at a time whereas Option 1 & 3 uses 128-bit architecture and operates on the whole 
state matrix (16 bytes) at once. Hence Optionl & 3 cores take less clock cycles for 
encryption of a block than Option2. Option 1 & 3 take 12 clock cycles whereas 
Option2 takes 127 clock cycles for encryption of one block of data. Using equation 4-
3, at 25 MHz, Optionl & 3 IP cores achieve a throughput of 267 Mbps and the 
Option2 IP core 25 Mbps. 
From plots in Figure 4-9 & 4-10, it can be observed that even though Optionl & 3 
achieve identical throughput, Option3 consumes more power and area compared to 
Optionl. This is because Option3 implementation uses look up tables (T-Box & S-
Box), it consumes more power and occupies more device area (slices & BRAMs) 
compared to Option 1. This is reflected in the energy consumption as well. 
Between Option 1 & 2, Option2 consumes lesser power and delivers lower throughput. 
This is mainly because Option2 uses 8-bit architecture path. Option2 delivers lO times 
lower throughput than Option 1. However power consumption, even though low, is 
comparable to Optionl. This is because, in Option2 SubBytes are implemented using 
combinational logic and hence the switching activity will be more compared to 
Optionl which uses S-Box look-up table. Also combinational logic is mapped onto 
the configurable logic block (eLB) slices of the FPGA whereas look-up tables are 
mapped onto the embedded Block RAMs. In Xilinx FPGAs, the design mapped onto 
the embedded resources (BRAM) consumes less power compared to the design 
mapped onto the eLB slices [94]. In addition to voltage, frequency of operation, load 
capacitance, power consumption is proportional to switching activity too. From Table 
4-2 it can be observed that Option2 consumes more energy than Option 1, even though 
it takes less power. From the above analysis, it is observed that Optionl consumes 
less energy and occupies less area than other Options and hence is the better choice 
among the three. 
90 
Chapter4.Design Space Exploration of the AES Algorithm 
... 
.8-
~ 
s 
<>. 
&. 
0> 
'" e
'5 
1200 
.j.) 
1 coo 
,.' 
" 
ED) 
... 
600 
A' 
m r
·o- optlonli 
.~ optlOn2 
.... optlOnJ 
.. ' 
v- ................................. 'V 
~ :II .w 50 60 70 9J ~ 100 110 120 
frequency (MHz) 
Figure 4-9 Throughput Vs frequency for AES implementadon Opdonl, 2&3 
llIl 
,; 
,; 
2500 ,; 
f( 
.,A-
/ .-t" 
am 
/ 
f / 
- 1500 /' I .+. ,; .' 
,; r-+~11 
llDJ .+' ..... ophCIII2 ,; 
.. optian 3 
*' 
500 +' 
...,---~ 
--yo--
Q.,) II 40 50 Sl ro III !ll 100 110 120 
hqulncy (MHz) 
Figure 4-10 Dynamic Power Consumpdon Vs Frequency for tbe AES Implementadon Opdonl, 2 
&3 
l.uJD 
otel numb.r of de •• on 
1200 XC2V1000 devlc ... 11120 
1000 
• • ~ fDI 
os 
J SOD 
«Xl 
:Dl 
0 
Figure 4-11 SUce UtUizadon of the Virtu 1 XC1VlOOO FPGA for AES Implement.don 
Opdonsl,2& 3 
91 
Chapter4.Design Space Exploration of the AES Algorithm 
Table 4-2 AES Implementations using Xilinx Virtex 2 Device XC2V1OOO (On-line Key 
Expansion) 
Device is XC2V 1 000 FF 896 -6 & f=25 MHz 
Option No Throughput Dynamic Total Execution Energy 
Device Utilization Max.Freq 
(data path Power Power BRAM f max 
width) (Mbps) (mW) (mW) time (ms) • (mJ) Slices (MHz) 
Optionl 452 
267 534 885 68 60.2 20 (50%) (128-bit) (8%) 
Option2 994 
25.1 197 548 720 394.5 0(0%) (8-bit) (19%) 
Option3 1226 40 
267 779 1130 68 76.8 (100%) (128-bit) (23%) 
• Estimated execution time = (no. of blocks in the test image· no. of cycles to encrypt one block) / 
freq. 
4.3.3 AES Implementations Using Architectural Optimizations 
In section 4.3.1, we have used algorithmic optimizations which are specific to the 
AES algorithm transfonnations. As discussed in section 2.6.1, in addition to 
algorithmic optimisations, architectural optimisations are also adopted in AES 
implementations. Unlike algorithmic optimisations, architectural optimisations such 
as pipelining, sub-pipelining and loop unrolling are independent of the 
transfonnations of the AES algorithm. 
Three different AES designs, which are based on the architectural optimization, PP-
10, SP-I-IO and SP-2-10 are developed. The designs are realized by implementing 
these in the Verilog HDL and following the subsequent implementation flow as 
follows: 
PP-IO - This is the fully pipelined implementation of the AES. In a pipelined 
implementation of the AES, the iterative loop is unrolled and registers have been 
inserted at the end of every round as shown in Figure 4-12. The architecture is called 
fully pipelined where the number of pipelined stages equals the number of rounds. As 
all the ten rounds are unrolled and pipelined, it is referred to as fully-pipelined 
implementation of the AES, PP-I0. 
92 
111 
72 
90 
128-bit 
input data 
[
Key l 
Reglster~ 
Round 1 Round 2 Round 10 
128 bIts 
Key J 
Register [10] 
Figure 4-12 Block Diagram of the Pip lin d Impl m nlation of th 
128-bit 
Encrypted 
output 
SP-l-tO & SP-2-l0- The SP-I-IO & P-2- IO ar impl m nt d u ing th ub-
pipelining within the AES datapath. Sub-pip lining in 
round transformation it elf a h wn in Figure 4-1 
implementation will produce encrypt d utput at 
pip lin within th 
th pip lin i full, thi 
k y 1 . By adding ub-
pipeline stages, the round function of each pip lin mall r 
functional blocks. This result in a d cr a e f th d lay b tw 
and hence, increa th maximum fr qu ncy f p ration. H w er, 
division of the round functi n Incrca th latency, th numb r 
required to perform an encrypti n by a fa t r e ual to the number 
One ub-pipeline within a r und of fully pipelined A (PP-l) i 
10. If there are two ub-pipcline tages in a PP-l 0 r und th n it i r IT d a 
Round 10 
Figure 4-13 Block Diagram of the ub-Pip lin d impl mentation of th 
P- I-
P-2-10. 
Here the implementation PP-IO SP-] -] 0 SP-2-10 ar c panding th k Y ff-lin nd 
storing the key in register. For it rative implem ntati n f th th k Y i 
expanded and stored in the regi t r . Kyle ti n for th appr pri t ROlll1dke 
during the encryption i carried ut u ing c ntr 1 I gi . F r pip lin d implem ntati n 
3 
Chapter4.Design Space Exploration of the AES Algorithm 
also the key is expanded before hand and stored in the registers but there is no need 
for the key multiplexing as loop is fully un-rolled as in Figures 4-12 and 4-13. 
However, the key can be expanded on-line for pipelined implementations provided 
the key expansion unit is also divided into the same number of pipelined and sub-
pipelined stages as in the main data round unit. 
4.3.4 Effect of Architectural Optimization 
Throughput, device utilization and power estimations of PP-l 0, SP-I-IO and SP-2-10 
are carried out based on back-annotated simulations and tabulated in Tables 4-3 & 4-
4. These implementations are compared with the iterative implementation of the AES, 
Optionl. 
From Table 4-3, it can be observed that the pipelined implementations, PP-IO, SP-I-
10, SP-2-10, require more slices and BRAM compared to the iterative architecture of 
Option!. However, they consume less power compared to iterative implementation of 
the AES. This is because each pipeline handles only one round and passes the result to 
the next round and also the output of each pipeline round connects only to the input of 
the next round. This not only eliminates shared data path, control and storage, but also 
shortens the length of the connections between stages. The highly localized wiring 
reduces propagation delays, wire capacitance and loading so the power is reduced 
[95,96]. Iterative option consumes 1522 mW of dynamic power whereas PP-IO 
consumes 858 mW. However, SP-l-IO & SP-2-10 consume more power compared to 
PP-IO but still less than the power consumption of the iterative architecture. The 
increase in power consumption is because of additional registers used for sub-
pipelining. 
The iterative architecture takes 10 clock cycles for the encryption of 128-bit data 
block and hence delivering a throughput of 320 Mbps at 25 MHz frequency of 
operation. In the PP-I 0 implementation once the pipeline is full, after 10 clock cycles 
of latency; encrypted output is produced at every clock. Hence the throughput is 10 
times more compared to the iterative architecture. The throughput is 3.2 Gbps in the 
case of fully pipelined implementation at 25 MHz. Fully pipelined implementation 
will produce the highest throughput of the design. However, with additional sub-
94 
Chapter4.Design Space Exploration of the AES Algorithm 
pipelined stages it is possible to reduce the delay of the pipelined round unit and 
hence the increase in the maximum frequency of operation as shown in Table 4-3. 
However, each sub-pipeline division of the round function increases the latency by a 
factor equal to the number of sub-divisions as shown in Table 4-4. In case of PP-IO 
the latency is 10 clock cycles whereas in SP-I-I0 and SP-2-10 implementations 
latency is 20 and 30 clock cycles respectively. 
It can also be observed from Table 4-3 that the sub-pipelined implementations (SP-l-
10 & SP-2-10) occupy a similar number of slices as the pipelined implementation 
(PP-IO). PP-IO occupies 62% of the 14336 total available slices and SP-I-I0 also 
occupies the same number of slices. This can be explained by observing the map 
reports generated by the Xilinx ISE. Even though these implementations occupy 
similar number of slices, their logic utilization (number of slice flip-flops and number 
of 4 input LUTs) is different as listed in Table 4-4. The Xilinx ISE tool maps the 
additional registers used for sub-pipelining to flip-flops and LUTs within the slices. 
Hence the number of slices remains the same however the utilization of slice flip-
flops and LUTs will increase with the number of sub-pipeline stages. 
Table 4-3 The AES Implementations with PipeUning (US-bit Data Path & Off-Line Key 
Expansion) 
Device is XC2V3000 BF 957 -6 & f=25 MHz 
AES Throughput Dynamic Total Execution Energy Device Utilization Archite- Power Power Time • 
-cture 
(Mbps) (mW) (mW) (ms) (mJ) Slices BRAM 
Iterative 320 1522 1900 56.7 107.7 4347 16 (16%) (30%) 
PP-I0 3200 858 1236 5.67 7 8892 96 (100%) (62%) 
SP-I-I0 3200 1007 1385 5.67 7.85 8893 96 (100%) (62%) 
SP-2-10 3200 1133 1511 5.67 8.57 9208 96 (100%) (64%) 
* Estimated execution time = (no. of blocks in the test image· no. of cycles to encrypt 
one block) / freq. 
95 
Max.Freq 
flJllX 
(MHz) 
66 
83.8 
III 
125 
Chapter4.Design Space Exploration of the AES Algorithm 
Table 4-4 Logic Utilization of the Pipelined Implementations 
Logic Utilization Logic Latency AES Distribution 
Architecture No. of Slice No.of4- (no. of clock 
FlFs Input LUTs Slices cycles) 
PP-lO 2182 (7%) 3999 (13%) 8892 (620/01 10 
SP-l-lO 3462 (12%) 3990 (13%) 8893 (62%) 20 
SP-2-10 4614 (16%) 4686 (160/01 9208 J64%) 30 
Total Number of 28672 28672 14336 Resources Available 
From Table 4-4, it can be summarized that architectural optimization techniques such 
as pipelining and sub-pipelining reduce the energy consumption of the AES 
considerably but at the expense of a slight increase of the area. So depending on the 
application requirements various optimization techniques should be adopted. 
4.3.4 Effect of FPGA Technology 
The previous section analyzes throughput, power and area consumption of AES using 
optimizations at design level. The analysis carried out in sections 4.3.2 and 4.3.3 
identified that Optionl implementation of the AES algorithm is the optimal choice for 
satellite on-board use in terms of power, speed and device area. The other dimension 
to analyze in the design space of AES implementations is the target FPGA 
technology. In order to observe the technology dependence of design space 
parameters, we implemented the iterative Option 1 AES on different Xilinx families of 
FPGAs such as Virtex, Virtex 2, Virtex 4 and Spatran 3 [22]. Table 4-5 gives details 
about the FPGA devices under consideration and the voltages used in these devices. 
Core supply voltage, V ccint, is the main source of supply voltage to the design under 
consideration. 110 voltage, V cco, supply voltage for the inputs and outputs of the 
FPGA. 
Table 4-5 Different Xillnx Family FPGA Devices Used for the AES Implementadon 
Xilinx Core Vol. 110 Vol. f max for FPGAFamily Device Vccint (V) Vcco(V) option 1 (CMOS technology) (MHzl 
Virtex (0.22 ~m) XCV800 BG560-6 2.5 3.3 50 
Virtex 2 (0.15 ~m) XC2VlOOO FF896-6 1.5 3.3 111 
Spatran 3 (0.09gmJ XC3S1500 FG676-5 1.2 2.5 90 
Virtex 4 (0.09 ~m) XC4VLX25 FF668-11 1.2 2.5 150 
96 
Chapter4.Design Space Exploration of the AES Algorithm 
~r----r----r---~----~--~----'----. 
~ 1500 
§. 
500 +' 
* 
-ir- virtex 
-+ virtex2 
-v spatran3 
.... virtex4 
OL--~--~--~~--~--~~ 
20 40 60 a:J 100 120 140 160 
frequency (MHz) 
Figure 4-14 Dynamic Power Consumption Vs Frequency for Option 1 on Different Family 
FPGAs 
.+ 
. 
~ ",' 
, 
, 
, 
, 
2000 
, 
, 
, 
• .f' ~ , .* . ." 
':' 1500 
i 
<>. 
.... 
..... -
..... J;f _.IV 
-ir- virtex ~ f-=:::'- ..-"' 
-+ virtax2 
.;::--
500 ~;::-- -v spatlln3 
.... virtex4 
Il11 60 a:J 100 120 140 160 
frequency (MHz) 
Figure 4-15 Total Power Consumption Vs Frequency for Optionl on Different Family FPGAs 
97 
Chapter4.Design Space Exploration of the AES Algorithm 
Figure 4-16 Share of Static Power Consumption in the Total Power of Optionl AE 
Implementation on a patran 3 FPGA (a) 25 MHz (b) 75 MHz 
Figure 4-15 presents a plot of the total power consumption ver us frequency 
relationship for the IP core implementing Option 1 with respect to different FPGA 
families. It can be seen from Figure 4-15 that power con umption not only depends on 
the implementation style, but it also depends on the FPGA family chosen (technology 
used) and voltage levels used in the FPGA. Figure 4-14 presents a plot of the dynamic 
power consumption versus frequency relationship for the IP core implementing 
Optionl with respect to different FPGA familie. It is seen in Figure 4-14 & 4-15 
that FPGA families with lower supply voltages consume lower dynamic power, as 
expected. It is observed that, the Option 1 implementation consumes almost half the 
power when implemented on Spartan 3 XC3S 1500 FPGA compared to Virtex 
XCV800 FPGA. 
The static power consumption of an FPGA remams con tant irr pective of the 
implementation and frequency of operation as it mainly depends on the technology 
used for the fabrication of the device. At low frequency of operation static power i 
dominant and is comparable to dynamic power. But at higher frequencies, static 
power has a lower share in total power con umption. The split between static and 
dynamic power consumption for the AES implementation Option 1 on a Spatran3 
XC3S1500 Xilinx FPGA at different frequency is shown in Figure 4-16. The static 
power consumption in Figures 4-16 (a) and (b) is the same (178 mW) but it forms 
different portions of the total power. 
98 
Chapter4.Design Space Exploration of the AES Algorithm 
It can be concluded from these observations that in order to get low power, it is not 
only necessary that low power optimisation techniques are followed at design level, 
but the FPGA should be chosen so that it uses low power technology and low supply 
voltages. Also selecting the right frequency of operation and switching off the FPGA 
device when not in use will reduce static power consumption. 
4.3.5 Discussion 
AES can be implemented using various algorithmic and architectural optimisation 
techniques. Algorithmic optimisations are divided into different options such as 
Optionl, 2 and 3. From the analysis in section 4.3.1, it is concluded that Optionl is 
the optimal implementation in terms device area, power, energy and throughput. This 
is in line with the observation from Table 2-8 that most of the published FPGA 
implementations of AES have adopted Option I. Architectural optimisations such as 
pipelining and sub-pipelining are applied to the Optionl AES. It is observed that 
pipelining and sub-pipelining reduce power and energy consumption but at the 
expense of FPGA area. So the architectural implementations may be considered for 
on-board implementations when device area is not a big issue. It is also illustrated 
that using low power FPGAs such as Spatran 3 or Virtex 4 could further reduce the 
power consumption of the algorithm. 
4.4 Conclusions 
Implementations of the AES algorithm using both the algorithmic and architectural 
optimization techniques have been carried out and design parameters are explored in 
order to identify a suitable implementation approach for space applications. 
Algorithmic optimisations are divided into different options such as Optionl, 2 &3. 
All these three options have been implemented on Xilinx family FPGAs using soft IP 
cores. 
AES implementations using architectural optimizations such as pipelining and sub-
pipelining have also been implemented. It is demonstrated that architectural 
optimizations reduce power and energy consumption considerably but at the expense 
99 
Chapter4.Design Space Exploration of the AES Algorithm 
of FPGA area. From the analysis of the implementations it is observed that Optionl is 
the optimal choice for applications, including satellite on-board use, where throughput 
needs to be in the order of hundreds of Mbps but requires less device area. In addition, 
Option I consume a very small portion of the power available to the payload unit. It is 
also recommended to use low power FPGAs such as Spatran 3 or Virtex 4 to further 
bring down the power consumption of the algorithm. 
100 
Chapter 5. Fault Tolerant Model of the AES 
Chapter 5 
5 Fault Tolerant Model of the AES Algorithm 
5.0 Introduction 
In the previous chapter various implementations of the AES algorithm have been 
discussed targeting FPGA platforms. Various optimization techniques are adopted and 
design parameters such as throughput, area, power, energy have been explored. 
Suitability of these implementations for on-board use has been discussed. The present 
FPGA implementations have achieved the throughput demanded by present EO 
satellites and consuming low area and power. 
In addition to high throughput and low power consumption, fault detection and 
tolerance is very important particularly in satellites. This is because satellites are in 
contact with ground station for very short durations of time. If faulty data is 
transmitted to the ground station, the user's request for data re-transmission has to 
wait until the next satellite revisit period, with revisit time varying from a couple of 
hours to weeks. 
As discussed in Chapter 4, satellites operate in a harsh radiation environment and 
consequently any electronic system used on-board, including the encryption 
processor, is susceptible to radiation-induced faults. Most of the faults that occur in 
satellite on-board electronic devices are radiation induced bit flips called SEUs. SEUs 
can corrupt the data during on-board encryption. The other source of faults is noise in 
the transmission channel. Satellite data can get corrupted during transmission to 
ground due to this noise. All implementations targeted for on-board use should be 
robust to faults to tolerate harsh radiation environment. 
101 
Chapter 5. Fault Tolerant Model of the AES 
Extensive research has been carried out and published on the impact of faults during 
transmission; however, no work has been carried out on the combined effect of the 
fault occurrence and the choice of the AES mode during encryption for both radiation 
induced faults and transmission faults. In this chapter latter issue is addressed. A 
detailed analysis is carried out to study the impact of faults during encryption and 
during transmission and the results are compared for all the AES modes. Also suitable 
modes of AES are recommended for satellite on-board use. 
The chapter is organized as follows. Section 5.1 describes the impact of faults during 
on-board encryption caused by SEUs and faults during transmission caused by noise. 
Section 5.2 discusses the propagation of transmission faults and SEU faults in each of 
the five modes, ECB, CBC, CFB, OFB and CTR. Multispectral satellite images from 
SSTL have been employed to demonstrate the SEU propagation in the AES modes. 
Section 5.3 presents a parity based fault detection model of the AES. And section 5.4 
presents the fault detection and correction model of the AES based on the Hamming 
Codes. Section 5.5 concludes the chapter. 
5.1 Faults in Satellite Data 
Bit-flip faults can occur during encryption as satellites operate in a harsh radiation 
environment and therefore any electronic systems used on-board, such as processors, 
memories etc., are very susceptible to faults induced by radiation. There is no 
exception for an encryption processor used on-board, which should be robust enough 
to faults in order to avoid transmission of corrupted data to ground. Most common and 
frequent radiation faults in satellite on-board electronics are bit flips called SEUs. 
SEUs are soft or temporary faults and correcting them can restore the normal 
operation of the device. 
A study measuring the fault propagation in one block of AES has reported that even a 
single-bit fault during the encryption process can result in many faults in the final 
encrypted data and on average 50 % of the bits in the final encrypted data block will 
be corrupted [97]. In this research, we have extended the study in [97] a step further 
from fault propagation within a block to within multiple blocks as modes of operation 
involve multiple blocks during encryption [26]. 
102 
Chapter 5. Fault Tolerant Model of the AES 
Bit-flip faults can occur in the satellite channels due to noise during transmission of 
encrypted data to ground. There are techniques like Forward Error Correction (FEC) 
in place to detect these faults and correct them. Using FEC technique extra bits are 
added to the data to allow the receiver to correct some errors without having to 
request a retransmission of data [99,101,102]. The maximum fraction of errors that 
can be corrected is determined in advance by the design of the code, so different 
forward error correcting codes are suitable for different conditions. 
In the feedback modes the faults in one block can propagate to other blocks because 
of the feedback. We have investigated how a single-bit fault occurring during 
encryption and during transmission can propagate to subsequent blocks. An elaborate 
study has been carried out to measure the fault propagation in the feedback modes in 
order to propose a suitable mode of encryption for satellite on-board use. We believe 
that this is the first attempt to study the impact of faults with the choice of modes in 
order to recommend the most suitable mode for on-board satellite application of AES. 
5.2 Fault Propagation in AES Modes 
ECB: If an SEU occurred during encryption due to radiation, then the corresponding 
cipher data block and hence the subsequent entire plain data block will be garbled 
when decrypted. 
If a single bit of the cipher data block is corrupted due to noise in the transmission 
channel, then the entire corresponding plaintext block will also be corrupted. These 
faults are not propagated to other blocks, as there is no feedback. The faults are just 
confined to the concerned block only. 
CDC: The effect of SEU during encryption in the CBC mode is illustrated in Figure 
5-1 [26], where the SEU occurrence is marked by the star symbol • and the corrupted 
data blocks are represented by black boxes. If an SEU occurs while encrypting the 
plain block PI, the cipher block C 1 will be corrupted and hence the decrypted block 
P I will also be corrupted. However, this corrupted data is not propagated to the 
subsequent blocks despite the feedback. The reason for this is that the corrupted 
103 
cipher block 1 i XOR-ed twice - with th plain block P2 before encryption and with 
the cipher block 2 after decryption - as hown in Figure 5-1 [26]. Perfonning the 
XOR operation twice with thi corrupted cipher bl ck 1 neutralize the fault and 
prevents propagation offault to sub equent block a hown below: 
P EB X EB X = P (5-1) 
Where X i the faulty data and P is the plain data. 
igure 5-1 Fault Propagation during Ener ption in B Mode 
In contrast, a fault occurring in an encrypted block during tran rnis ion propagate to 
the next block, a shown in Figur 5-2 [26], where th tran rnis ion fault i 
the tar ymbol * during the tran mi ion of th ciph r block 1. Th de rypted bl k 
PI is completely garbled and th subsequ nt decrypt d block P2 will have bit error at 
the arne po ition a the original erroneou block 1 [37]. Th de rypt d block 
following the econd block will not be affected by the fault. Hence the B m de i 
elf-recovering ( elf- ynchronizing). 
Figure 5-2Tran mi ion Fault Propagation in B Mode 
104 
hapter 5. Fault Tol ranI Model ofth AES 
OFB: If a SEU occurs during encryption in the OFB mode then all th ub equent 
block will be conupted tarting from the pint where the fault ha ccurred. Thi is 
because the key trearn required for encryption and decryption i indep ndent of the 
plain and cipher data in the OFB mode, and hence the fe dba k pr pagate the fault 
from one block to another until the end of the encrypti n proce . 
Thi is demon trated by introducing an SEU during the encrypti n of a plain 
multisp ctral satellite image. The atellite image in igure 5-3 (a) [12] i a part an 
SSTL multi p etral image of North umatra tak n n th 41h January 2005 in the 
aftennath of the Tsunami di a ter. The image has 500 X 500 pi el and each pixel i 
of 24 bits, repre enting 3 pectral band with bit p r band. Thu , the number of 
12 -bit block t; r this image i 46875. Figure 5-3 (b) h w the fault pr pagation for 
a single-bit error, which wa introduced during the ncryption f 20 00 Ih block at th 
SubBytes tran fonnation of the 4th byte in the third round Figur 5-3 (c) how the 
propagation a single-bit error that wa introdue d during the encrypti n of 40,0 Oth 
block at MixColumn tran fonnation of 71h byte in the 6th r undo 
(a) (b) 
(c) 
Figure 5-3 (a) Plain Image (b) D cryptcd imag with t 20 OOOlh B10 k (c) D cryptcd Image 
with E at 40,0001h Blo k 
105 
hapter 5. Fault Tolerant Model of the AES 
If, in contrast, a bit is corrupted during transmi ion, only a ingl bit in th plain data 
is affected and the error does not propagate to other part of the m ag again for the 
same reason that the key tream doe n't depend n the plain r ciph r dat. 0 the 
transmission fault is not propagated. Thi property i very u eful to application uch 
as satellites where the tran mi ion channel ar very noi y. H nee the OFB mod ha 
an advantage over the Band FB mode in that any bit error that might ccur 
in ide cipher data are not propagated to affect the d cryption of ub equent block . 
CFB: Due to an SEU during encryption in FB mode, the corre ponding plain data 
block will be garbled and the faults are not propagat d to ub equent block . Thi is 
again becau e of the XOR property a de cribed by Equation 5-1 . Th k y team u ed 
during encryption and decryption depends on the cipher data f previous block a in 
CB mode. So performing XOR two time with the c rrupted data n utralize the fault 
and prevents prop'agation of faults to sub equent blo k . 
However in contrast to B ,in the FB mode a tran mis ion fault in an encrypted 
data block propagates to the next block, which i corrupted compl tely. Thi 
becau e during decryption fir t the XOR operati n 1 carried out foil w d by 
encryption as hown in Figure 5-4 [26]. AI the bl ck D Howing the c nd block 
will not be affected by the error. Therefore, CFB is al 0 kn wn a elf-rec ering 
(self-synchronising). 
C 
L...L..+..J......I 
----l 
::r ~ 
-Q. 
>-
... 
u 
Q) 
o 
Figure 5-4 Propagation ofTran mis ion ault in FB Mode 
106 
Chapter 5. Fault Tolerant Model of the AES 
CTR: In CTR mode either the EU fault or the tran mis ion fault propagate to only 
one block as in the ECB mode as there is no feedback here to propagate the fault . An 
SEU fault during encryption corrupts one complete data block wherea a tran mission 
fault corrupts only the corresponding single bit in the block. 
5.2.1 AES Modes for On-Board Use 
It has been observed that SEU inflicted single-bit errors can propagate from onc block 
to multiple blocks depending on the mode of operation. In the ca e of the E B, BC, 
CFB and CTR modes an SEU corrupts one block of data whereas in case of the OFB 
mode it can propagate to the whole data starting from the point where the SEU has 
occurred . Hence the CBC, FB and TR mode are suitable for use on board a they 
propagate faults to just one block. On the other hand ECB is not suitable for satellite 
applications, even though it propagate faults to just one block, as it reveals pattern In 
the encrypted data, as di cu sed in section 3.4. 
Faults occurring during transmission can al so propagate from one block to multiple 
block depending on the mode of operation. It ha been ob erved that in the ca e of 
the ECB mode the faults propagate to one block, wherea in the BC and FB mode 
the faults can propagate to two blocks. In contrast, in the OFB and TR modes, only a 
single bit in the plain data is affected and the error doe not pr pagate to other part of 
the image. Based on this analysis, we conclude that the OFB and TR mode are 
more favourable for noisy channels, because unlike other mode , single bit 
transmission errors in the cipher data are not expanded in the received plain data. The 
OFB mode i also recommended in [98] as a more suitable option for atcllitc 
communications compared to other modes of DES however, it i very en itive to 
SEUs as demonstrated above. Hence the OFB mode could be used on b ard only if an 
error-free AES encryption scheme as the one proposed in the next section is 
employed. 
Table 5-1 summarizes the amount of data corrupted due to ingle bit faults during 
encryption and transmission depending on the AES mode u ed. It can be seen from 
Table 5-1 that the occurrence of single bit errors during on-board encryption in all 
AES modes results in fau lt propagation. This make a very trong case for 
107 
Chapter 5. Fault Tolerant Model of the AES 
development of a self-repairing AES scheme a it will prevent faulty data 
transmissions in satellites. The above fault propagation analy i i carried out by 
taking both imaging and non-imaging (telemetry) data. Example of n n-image data 
are listed in Appendix B. 
Table 5-1 Fault Propagation Due to ingle Bit Error During Encryption and Transmis ion 
E B CB OFB CFB TR 
Amount of Data 
omplete data Corrupted 
Due to U During On- One One from the point One One 
board ncryption block block where fault ha block block 
occurred 
Amount of Data 
orrupted One Two No fault Two No fault Due to Faults During propagati 
ransrrUssion block block propagation block on 
So far, in thi chapter, fault propagation in five popular mode of the AES uch a 
CB, B , OFB, FB and TR have been analyzed in detail. SEU are the most 
common faults that occur on-board due to radiation. The impact of SEU fault 
o curring during on-board encryption has been analyzed. In addition, an analysi of 
fault that occur during tran mission due to noise has been carried out a at Hite 
channels are very noisy. Since none of the AES mode ar free from fault , err r 
detection and correction i very important in atellite in ord r to pr v nt faulty data 
transmissions. Rest of the chapter discu es the fault detecti n and correction m del 
for the AES algoritlun. 
5.3 Fault Detection 
Various methods have been proposed for fault detection of AES which are mainly 
aimed at avoiding cryptanalysis of AES by injection of fault. For in tance, Karri et 
al. [103] proposed a redundancy-ba ed technique, where a d cryption module i 
running in parallel with the encrypti n m dule and it output i compared with the 
input to the encryption module to detect a fault. The fault detection can be carri d out 
at algorithm, round or even at tran formation level to impr ve the detection latency at 
the co t of extra hardware. In [97] Bertoni et al. propo ed a fault-d te tion scheme 
10 
Chapter 5. Fault Tolerant Model of the AES 
based on the parity error detection c de (ED ). Th fault i det cted by comparing the 
predicted parity with the calculated parity at the end of each tran formation . In [104] , 
Karpovsky et al. propo ed a method to reduce the number of intentional undetected 
faults using sy tematic nonlinear (cubic) robu t error detection code . In [105], Wu ct 
a1. proposed a low cost concurrent rror d tection technique for the A Suing parity 
checking based on Substitution Permutation Networks ( PN) with the aim of reducing 
the overhead for fault detection. Br veglieri and Koren suggested in [) 06] that error 
detecting codes are a rea onabl alternative to the duplication te hnique due to 
r duced hardware overhead, optimum detection rate and many degre of fr dom in 
choosing the desired error coverage/co t trade- ff. 
Fault detection alone is not enough for pac applications but fault c rrcction i 
equally important. Faults must be detected and orrected on-board befor ending the 
data to ground to avoid redundant tran mi i n and u e of erroneou data . Al if 
faulty data i tran mitted to the ground tation, the u er s reque t for data re-
transmis ion ha to wait until the next satellite revisit p riod, with revi it time varying 
fr m a couple of h ur to weeks. Mo t of the fault that occur in atellite n-board 
electronic devices are radiation induced single bit flip called EU. 
5.3.1 Parity Based Fault Detection AE8 Model 
This section presents a fault detection model ba ed on the parity bit and ection 5.4 
pre ents a fault detection and correction model based on th Hamming code. 
The fault detection AES model involves predicting the parity at th end of a h 
tran formation from the pre-calculated parity tables. The parity bit of each byt f th 
S-Box look-up table 8 RD ,(8 RD ® {02}) and (8 RD ® {03}) i pr -calculated and t red 
in the form of parity tables and is referred to as parity memory. The ize of each of 
these parity tables is 16 x 16 = 256 bits. So the total parity memory i 256 x 3 = 76 
bits. The pre-calculated parity tables are referred as P RD' P2 RD P RD where P RD i 
parity of S-Box look-up table 8 RD . P2 RD i parity of ( RD ® {02}) and P 3RD i parity of 
(8 RD ® {03}) and are represented by equation 5-2. 
109 
hapter 5. Fault Tolerant Model of the AES 
p (SRO[a]) 
P«SRO[a]® {02}) 
p «SRO[a] ® {03}) 
P RO [a] 
P2RO[a] 
P3RO[a] 
where a represents the state byte. 
(5-2) 
The parity matrix of the SubBytes transformation i predicted by referring to the P RD 
table. The parity matrix prediction for ShiftRows con ist of imple cyclic rotation of 
the SubBytes parity bits. The parity matrix for MixColumns is predicted with the help 
of P RO.P2RO. and P3RO parity table and it can b expre ed a in 5-3. The parity for 
the AddRoundKey transformation is predicted by XORing the Mix olumns pr dieted 
parity with the expanded round key parity. 
Po.j = P2RO[aO•j] E9 P3RO[a l•j] E9 P RO[a 2.J ] Ef) P RO[a3.j] 
PI.j = PRD[aO) ffi P2RO[a) .j ] ffi P3RO[a2,j] ffi P RO[a ,j] 
P2,j = P RD[a O) E9 P RO[a) ,j ] E9 P2RD[a2,j] Ef) P3RO[a3,J ] 
P3,j = P3RD[a O•j] E9 PRD[a) ,j] E9 P RO[a2.j ] E9 P2RO[a3,j] 
0 5 j < 4 
(5-3) 
where PO,j ,p),j ,P2,jand P ,j are the predicted parity bit of MixColumn tran fonnation 
derived from P RO,P2RO, and P RO tables, 
The parity bits P2RD is given by the parity check bits of (SRO ® {02}) , The Galoi 
field multiplication of a state byte, a, with {02} i defined a fi 1I0w [19,97]. 
{02} ®a = {02} . a(x) mod m(x) 
= x 'a(x) mod m(x) 
n·) 
= (x L: alxl) mod m(x) (5-4) 
i-O 
n-) n·2 
= an.) L: I L: 1+) mix + a jx j-O jeO 
n-2 
= an_) mo + L: (an )mj+) + a j) x l+ ) 
1- 0 
110 
hapter 5. Fault Tolerant Mod I of the AES 
where {02} is represented as x in polynomial form , n1 j represent the coefficients of the 
irreducible polynomial m defined in the AES algorithm a di cussed in ection 2.2.3 
and n=8. 
The parity of the above product P 2RD i calculated as follows. 
11 - 2 
P 2RD = p({02}®a) = p(a,,_lmo+ L(all_l n1i+ l + al» 
1- 0 
(5-5) 
Using the irreducible polynomial given by (2-3) and n= , equation (5-5) can be re-
written as 
6 
P 2RD = p(a7 + ~)a7 ml+1 + al» (5-6) 
1- 0 
Equation (5-6) can be further implified to [97] 
P 2RD = a7 + pea) (5-7) 
The parity bits P 3RD is given by the parity check bit of (8 RD ® {03}) . The Galois 
field multiplication of a state byte, a, with {03} i defined as follow : 
PRO = p({03}®a) = p ({02}®a $ a) (5-8) 
P RD = a7 + P (A) + peA) = a7 
Figure 5-5 show the flowchart diagram of fault detection in AES using parity table. 
For each transformation of AES, the parity predicted from input stat i compared 
with the calculated parity from transfonnation output. If the parity bit are different 
then it indicates fault detection and nee sary action need to be taken before 
continuing with the re t of the encryption proce . 
111 
Chapter 5. Fault Tolerant Model of the AES 
tlput Data 
[State Mltrix] 
Fault is detected 
'----------l and take 
necessary acmn 
Figure S-S Flow Chart of Fault Detection in AES 
5.4 Fault-Tolerant AES Model 
This section presents a novel fault-tolerant model for the AES algorithm, which is 
immune to radiation induced SEUs occurring during encryption and can be used in 
hardware implementations on board small OE satellites [27]. The model is based on a 
self-repairing error detection and correction scheme, which is built in the AES 
algorithmic flow and utilizes the Hamming error correcting code [101]. 
The proposed Hamming code based fault-tolerant model of AES can be adapted to all 
the five modes of AES to correct SEUs on-board. Even though the calculation of the 
Hamming code is carried out within the AES it does not alter any of the 
transformations of the algorithm and does not affect in any way the operation of AES. 
Also as the Hamming parity data are not sent to ground, they are not available to leak 
any information about the AES algorithm. Therefore it is believed that the fault-
tolerant AES model does not require a cryptanalysis. 
112 
Chapter 5. Fault Tolerant Model o/the AES 
5.4.1 Model Description 
The proposed fault-tolerant model is based on the singe error correcting Hamming 
code (12, 8), the simplest of the available ECC. The Hamming code (12,8) detects and 
corrects a single bit fault in a byte and it is a good choice for satellite applications, as 
most frequently occurring faults in on-board electronics are bit flips induced by 
radiation. However, the AES correction model can be extended to correct multiple bit 
faults by using other ECC such as the modified Hamming code (16, 8), the Read-
Solomon codes, etc. [99,100]. 
The Error Detection and Correction {EDAC) capability is based on predicting the 
Hamming code bits (also referred to as parity check bits) at the end of each 
transformation from the pre-calculated Hamming code. The procedure to calculate the 
parity check bits is discussed below. 
5.4.1.1 Calculation of the Hamming Code 
The parity check bits of each byte of the S-Box look-up tables are pre-calculated. 
These Hamming code bits can be formally expressed as below: 
h (SRO[a]) ~ hRO [a] 
h «SRO[a]® {02}) ~ h2RO[a] (5-9) 
h «SRO[a] ® {03}) ~ h3RO[a] 
where a is the state byte and h represents the calculation of the Hamming code. 
As it can be seen from (5-9), hRD is given by the parity check bits of the S-Box look-
up table SRD' h2RD is given by the parity check bits of (SRD ®{02}) and h3RD is given 
by the parity check bits of (SRD ®{03}). 
The procedure to derive the hRD parity bits is described below by taking one state 
byte, a, represented by bits (b."b6,bs,b4,~,b2,,,.,bo) as an example. The Hamming 
113 
Chapter 5. Fault Tolerant Model of the AES 
code of the state byte, a, is a four-bit parity code, represented by bits (P3' P2' PI ,Po), 
which are derived as follows: 
P3 -4 is parity of bit group h7' h6 ' h 4' h3 ' hi 
P2 -4 is parity of bit group b7, bs ' b 4' b2 ' bl 
PI -4 is parity of bit group h6' hs ' b 4' ho (5-10) 
Po -4 is parity of bit group b3, b2 ' bl ' bo 
The Hamming bits of all the bytes of table SRD are pre-calculated and stored in the 
form of a memory table referred to as b RD table. Calculation of hamming code is 
illustrated in Appendix A. 
The Hamming code b 2RD is given by the parity check bits of (SRD ®{02}). The 
Galois field multiplication of a state byte, a, with {02} is defined as in (5-4). 
The Hamming code of the above product b2RD is calculated as follows. 
n-2 
b 2RD = h({02}®a) = h(an_lmo + ~)an_lm;+1 +a/» (5-11) 
;=0 
Using the irreducible polynomial given by (2-3) and n=8, equation (5-12) can be re-
written as 
6 
b 2RD = h(a7 + ~)a7 ml+1 + a/» (5-11) 
1-0 
Unlike the calculation of parity bit of a byte, the calculation of Hamming parity bits 
depends on the position of the bits in a byte and therefore it is not possible to further 
simplify equation (5-12). Hence the b 2RD parity bits are calculated beforehand, and 
are stored in the form of a memory table, which is referred to as b 2RD table. 
The Hamming table b3RD is given by the parity check bits of (SRD ®{03}). The 
Galois field multiplication of a state byte a by {03} can be described as follows: 
114 
Chapter 5. Fault Tolerant Model of the AES 
{03} ® a = ({02} 63 {OIl ) ®a 
= x' a(x) mod m(x) 63 a(x) mod m(x) (5-13) 
Similar to the parity function, the Hamming function is also a linear operator. The 
Hamming code of the above product h3RD is written as follows. 
h3RD = h( {03} ® a) = h2RD 63 hRD (5-14) 
Hence, the h3RD parity bits can be calculated from the hRD and h2RD parity bits and 
therefore it is not necessary to store them in the form a parity memory table. Once we 
have all the parity bits, the next step is to detect and correct the faults by predicting 
the Hamming code bits using the pre-calculated Hamming code bits. 
5.4.1.2 Detection and Correction of Fault Using Hamming Code Bits 
The Hamming code matrix of the SubBytes transfonnation is predicted by referring to 
the hRD table. The Hamming code matrix prediction for ShiftRows involves a simple 
cyclic rotation of the SubBytes Hamming code bits. The Hamming code state matrix 
for MixColumns is predicted with the help of the hRD,h2RD and h3RD parity bits and it 
can be expressed by the equations below: 
ho.j = h 2RD [aO,j] 63 h 3RD [a.,j] 63 h RD[a2,j] 63 h RD[a3,j] 
h.,j = hRD[ao,j] 63 h 2RD [a.,j] 63 h3RD[a2,j] 63 hRD[a3,j] 
h 2,i = hRD[ao,j] 63 hRD[a.,j] 63 h 2RD [a2,j] 63 h3RD[a1,j] 
h3,i = h 3RD[aO,j] 63 hRD[a.,j] 63 h RD [a2,j] 63 h 2RD [a3,j] 
OSj<4 
(5-15) 
By substituting (5-15) in the equation (5-16), the Hamming code matrix for 
MixColumns can be predicted with just two tables, hRD and h2RD • 
115 
Chapter 5. Fault Tolerant Model of the AES 
As shown in Figure 5-6, for each transfonnation, the Hamming code is predicted 
using the input data state to the transfonnation by referring to the parity check bit 
tables and also the parity check bits are calculated from the output of the 
transfonnation. The predicted and calculated check bits are compared to detect and 
correct the fault as discussed below. 
Let the predicted check bits of the transfonnation input be represented by 
( X3, X2, XI' xo) and the calculated check bits of the transformation output be represented 
bY(Y3'Y2'YI'YO). The location of the faulty bit is detected by comparing the predicted 
and calculated Hamming check bits following the bit match patterns in Table 5-2. 
Once the faulty bit position is identified the fault correction is perfonned by simply 
flipping that bit. The encryption is then continued without any interruption to the 
encryption process. Here we assume that the Hamming code tables will be protected 
from SEUs by traditional memory protection techniques in satellite applications like 
memory scrubbing and refreshing [86]. 
Round Transformation 
(SubBytes I MixColumnsi 
ShiftRows I AddRoundKey) 
Calculate Hamming Code 
y (Y3.Y2.Yl.YO) 
No 
Input Data 
(State matrix) 
Hamming code 
tables 
hRoandhzRo 
Correction of single bit fault 
Continue to next 
transformation 
Figure 5-6 Fault Detection and Correction Flow Cbart 
116 
Chapter 5. Fault Tolerant Model of the AES 
Table 5-1 Hamming Code Bit Match Table To Locate A Faulty Bit 
Hamming Code Bits Faulty Bit Position in 
Comparison Output 
(x3,YJ&(X2'Y2) 0 
(X3'Y3)&(X"y,) 2 
(X3'Y3)&(xo,Yo) 5 
(X2'Y2)&(X"y,) 3 
(X2'Y2)&(XO'Yo) 6 
(x"y,)&(xo,Yo) 7 
(x"Y,) 1 
(xo,Yo) 4 
5.4.2 Software Simulation 
The AES fault-tolerant model was verified using a purpose-built software simulator 
written in the JA V A programming language. The model is tested through injecting 
faults randomly at different round, transformation, byte and bit levels. A Graphical 
User Interface (GUI) was also developed to effectively simulate fault injection and 
correction. The GUI , as shown in Figure 5-7, has three sub-frames. The input sub-
frame is meant to display the input data block, encryption key, cipher block and 
decryption block etc. The inject error sub-frame is to simulate the error injection at 
different round, transformation, byte and bit position. The details sub-frame shows the 
intennediate state of output for every transformation and for every round in AES. The 
details sub-frame also shows the predicted and calculated Hamming code. 
117 
hapter 5. Fault Tolerant Mod I oj the AES 
f AlS - - - --- ~@~ 
Details 
-
A(SKOV 
InpuI DII. 
~DII' 
QlIW 011. (rtl,lr" .. w 
00cIpher DIll 
[r1Cl)lllU\Ollnds 
-..e, 
St •• Subllil4es 
3188"00 00000000 
USa3"7 00000000 
M308807 00000000 
8181111234 00000000 
11100 .. 9 114101111. 
:IIIf4c6f'O 21btbUI 
.31211148 "8854162 
... 21>2108 .. ,11530 
114118l1li02 49457fn 
1<.51111 1111113902 
7135 •• 50 112 881753 
1221>4348 10" I.,.. 
.. 6112118 ..,.,l4S 
11.11232 7:lello523 
~ I illEr,. 
SIIIIIRDwI ~ RoorrIdKov AooIrIoI 
00000001 00000100 2112111>~ 
00000000 00000000 7 ... nd 
00000000 001001 15 11215« 
00000000 100000 ,'''.)0 
11410l1li1. 04104128 10111 232. 
1oIb44121 l1li0:111108 11541:1 &c 
54162 II !II lIIVoI,28 1. 21:311 78 
:10"'1115 I5h7.4c 17 bUU os 
49457rn 581 •• ,b 127.5117:1 
l1li3902111 411411.711> c2 01:155/1 
175311201 coSacabO 1511110111 
,...lfl I. l18e .. 15 124U.7r 
..,. U4S 7U053 • l,U71.11d 
el~237:1 ec.dl 2S 10 18231. 
Figure 5-7 J VA ITo imulate ncryption 
A(SKIII 
Input DatI 
CfphetOIl. 
~ 1 III Enor 
AGuM 
Cfphet 011. (f No Err .. WM In)/,tt T' ..... ...-1!lIt.-
111-
A£SlDoxPaI\ll 
Oec~ 
~ftr ... 
~Pert!I 
.,...-,.CMa-
Stll. IIW.SIIIfIIIowI 1IW.$uIIIIJIIeI ~ ~ AaorIIII 
3902 tic 19 00000000 00000000 1101:1.,88 000000 ... 0 
25 tic 1111 ... 0000 ... ... 00 ...... , ... 3f1l ... 000010 
14.15l1li 00000000 0000110110 ftl25OcOc 110100010 
, .. 11017 32 000000110 0000110110 ....... 000000 ... 
eOc:tIld. eO 0:11 ld. 11158.,. oc"2157 47401134.: 
" 322101 • 313221 402I.'e3 n' ... ,5I: 37 ... 711 • 
711 21:1007 880771121: 123111342 II tic 2100 ..... lIC2 
b5nsr .. 72sr .. b5 18 ... 7112 1121411 • .. lI5l1bC 
171241117 8712 .... 87 ..,041615 Nb5l17r IIOb1541. 
6141:00ec 81:6141:10 IH55d. 11210121>101 51CIlIl. 
46.74 • ., ... 3441.1 51::1311.0 1''''1521 :zrll .... 
IllIe .. OS Ie III 85 .. 1'0211"0 211121021 dilled .. 
...... OIIM beMIIIM 51 11131. .. lit .... 144412134 
:Ib.U •• 3 113:1b.,14 ., •• 101e 54 lit III .. 15114121 
Figure 5-8 JAVA I To imulate A D cryption 
... 
I 
11 
Chapter 5. Fa II It Tolerant Model of the AES 
Figure 5-9 and 5-10 shows the fault detection and correction window of AES 
algorithm, where the error i injected rand mly. For in tan e in Figure 5-9, the error is 
injected at at round number 4, in ShiftRows tran fonnati n in the 5th byte po ition of 
tate at i h bit position. The tatu bar at the lower end of the creen di play the r ult 
of fault detection and correction technique ba ed on hamming code as di cus d 
above. 
The proposed model wa te ted ext n ively using the Known An wer Te t (KAT) and 
Monte arlo Te t (MeT) vectors described by NIST [19,21]]. The te ting with the 
software simulator has hown that the fault-t lerant cherne u ing the Hamming cod s 
(12, 8) is able to detect and correct all the fault up to bit level a exp cted. 
, AI~ - r;::i¥rR 
A{SKey 
..... DIU 
ClphwDIII 
.... ,111£1'. 
--CIphw DIll (II No Crt", Was Injected) 
00dI0Iw00Q 
J925811 d02d,09lbdClI 859119600bJ2 
6 2750noI512801,r.odOJod57d7Id 
TI __ 1IjoI.-
.. -
IIIjod En • 
--5 
. ] Fault 
: Injection 
- n"'lIUlourvr ..... tU ""OtfU rn"Wlu.nUT nUU-.11.-n ItTV-'-
4.8Hd.e 48154<1l1li lito. MS-
kld.H' 'd8n'k 1111l9chJ 
.. ,..bl5I .'51 .. ,.. .mlOu 
"00138.7 .1 ..... 38 ........ 
0010.'" , 110011' 
0000.,. 0"0 .,e 
1100 '110'110'" 
0000 00'0 '011 .. 11 
00'0"" 1 ItO 0101 
0000 •• OliO lOll 
" .. " .. '''0_ 
0000.,. '011 0011 
.. 4311 .. 5 0043.15 IU2tOtIS 
12 •• ' ... aUnU2 "13ktc 
11.35111 35 ... .". !lOne'" 
.. 13500. 0 ... 1350 34l5n211 
0000 0100 00'0 '010 0000 0'00 11110 '010 0100 om 0000 "10 
... ~ 
DIIfIIII~ c.- • 
nUllWrnt, tnt 
"' ...... Round 
1-
"5271011 4~ Number 
eHII2SOd 
UIl"'OO 
• ShlftRoltts 00'0." "00 ,,,, transformation 1111 tOO, 000,.", 
1100.11 00000.' 
~PIIty 
' .. '_"11-
00 til 111' "00"" 
"".'000' .", Pr~~ 
" ... " ..... , 
'00'''''11'''' 
11471: .. " 
d'I3f2f1 5 
"' ...... '5 
111711C11C 
"0' ".00'0'.' &,or ___ 4.1IjoI8_6,T, __ SIIFT-.._'" 
Figure 5-9 JAVA GUI to imulate of fault injection and det ction at 'bit' Ie el 
1 1 
hap fer 5. Fault Tolerant Model a/the AES 
t AIS ~.J~~ 
...... ,Oi1(fTO< 
AfSKey 
InpuI DIrt. 
CIphorDlt. 
-r,_ar_ 
2 
Fault 
• Injection 
CIJI/IOr 0.. (II 110 U'OI WI>S '"...,edl 
~DaI. 
AI:S lllOxPwltY 
0100 101001101010 0100 101001101010 
01111011111001" 101111100111 0111 
111011010011 0011 0011001111101101 
0101 OUCH 0010 1001 1001010100010010 
.468 .. 02 114 18 .. 02 
DcIlf5b1la 9t5bIlaDc 
71':15 .. SO oSO 7135 
Hamming 122114349 U122U3 
code Is 1111 010110111101 1111010110111101 
different 1110000000111000 0000 00111000 1110 
, at 7th Byte = ~~ ::::: :: 0100 0100 0000 ":': 
~1 0101 10111101 1111010110111101 o 0000 00111000 0000 00111000 1110 ttt001ooo,bd 0.000100_ '1" 
0011 0001 0100 0000 0000 0011 0001 0100 
010100000011 ffll 
0100 0001 01111000 
1111 01000110 1110 
0110011001100110 
!i8,b .. ,b 
4d4b17 .. 
.. 1o .. ~ 
"8ClBo!> 
111110011111 1001 
010="1011 
.1 0000 100100 
1111 00" 0110 
SUIIIJII .. Il\0l.-
Oil _Ion 
~£rror 
1lI ....... 1W1tY 
0......., H.1rmnW1O C.... • 
101001011000 0010 
~~:~:~~:= "'-~ 
010101" 0010 0110 
12706IJ7l 
c2SH13550 
II$MIGN 
12., 7.71 
0011 0110 11101100 
~ Round 
Number 
~~~:~:::::,:~::: ~"'P.1tY 
0011 010001100000 
0011 0110 111. 1100 
~~~:~:::::,:~::: "'_PorltY 
00" 0100 01" 0000 
.1112. 
111""11232 , 
flror DIrIeCIlMIII _ 2.11)Ce _7. rr_""""" SWI ewc... .. ~.>' 
1182118 
""1123281' 
75205384 
ocOll.084 
"U71.11d 
10 11237. 
] Fault detection at 'bit' level 
Figure 5-10 JAVA VI to imulate offault injection and detection at 'bit' I vel 
5.4.3 Hardware Implementation of the Fault-Tolerant AE Model 
FPGA implementation of the AES algorithm and the propo d fault-tolerant model i 
carried out in order to explore the de ign space and to calculate the hardware 
overhead incurred by the AES EDA . 
A di eu sed in cetion 2.6., different approache to the algorithmic realizati n f the 
SubBytes and Mix olumns tran formations can be adopted depending on the de ign 
gals. For instance, the SubBytes transformation can b implem nt d u ing a LUT 
approach or a non-LUT approach. In the non-LUT approach SubByles can be 
calculated on the fly for each tate byte u ing Galoi field in er I n. Alt mati ely the 
Sub Bytes tran formation 
Box. 
computed in advance and th r ult ar t red in the S-
Similarly, the MixColumns tran formation can be impl ment d u ing a LUT r a 
non-LUT approach. In the non-LUT approach every column in the tat multiplied 
120 
Chapter 5. Fault Tolerant Model of the AES 
with a predefined polynomial {2 3 II}. Alternatively, the two pre-calculated tables 
(SRD ®{02}) and (SRD ®{03}) can be used to carry out this transformation, which is 
called a T-Box approach. Instead of storing only the value of SubBytes in the S-box 
approach, the T -box approach stores the values of (SRO), 
(S RD ® {02 } ) and (S RD ® {03 } ) . The other two transformations ShiftRows and 
AddRoundKey are implemented by just a cyclic left shift and an XOR operation 
respectivel y. 
The realisation of the SubBytes and MixColumns transformations using LUT and non-
LUT approaches gives rise to three AES implementation options as detailed in section 
2.6. 
From the analysis in 4.3.1, it can be concluded that the Optionl IP core consumes less 
energy and occupies less area than the other options and hence it is the best choice 
among the three. 
In order to implement and calculate the overhead of the fault-tolerant AES model, the 
Hamming code based EDAC is incorporated into the Optionl AES IP core, which is 
identified as the optimal implementation in terms of power, throughput and area in 
section 4.3.4. Two additional Hamming tables hRD and h2RD are calculated using 
expression (5-10) and h3RD using (5-15). For comparison purposes the EDAC 
function is also incorporated in the Option3 AES IP core which uses LUTs for both 
SubBytes and MixColumns. 
The Hamming code prediction path is implemented as follows. For the SubBytes 
transformation the Hamming code is predicted using the hRD table. For ShiftRows it is 
just a cyclic left shift operation of the Hamming code and it is realized as a shift-by-
wire. The Hamming code prediction for the MixColumns transformation is carried out 
using equation (5-16) with the help of the Hamming code tables hRD and h2RD and 
h 3RD . An XOR gate is used for the prediction of the parity check bits for the 
AddRoundKey transformation. At each transformation the parity check bits are 
calculated and compared with the predicted one. Fault detection comparators are 
121 
Chapter 5. Fault Tolerant Model of the AES 
included at each step to compare the predicted and the calculated Hamming code as 
shown in Figure 5-11. If they differ an error flag i et and the error correction logic is 
used to identify the corrupted bit as described in Table 5-2. 
128 -bit 
Input key 
128 -bits 
Sub 
Bytes 
(S-Box) 
o Fault detection block 
Mix 
Columns 
Figure 5-11 Block Diagram of the Fault Tolerant AE Datapath 
128 -bit 
expanded 
key 
The FPGA implementations of the AES fault tolerant model for Option 1 and Option3 
are quantified in terms of area, power overhead and maximum frequency of operation 
as hown in Table 5-3 and Table 5-4, re pectively. 
Table 5-3 FPGA Implementation of the Fault Tolerant Model with Optionl AE 
XC2VIOOO & f= 2S MHz 
Optionl IP FPGA Power f max 
Core Utilization (mW) (MHz) 
Option1 AES 
452 (8%) 
20 (50%) 
885 111 
Option 1 AES + 675 (13%) 
2234 91.43 
EDAC 39 (97%) 
Overhead 49% 152% -17 % 
122 
hapter 5. Fault Tolera1lt Model of the AES 
Table 5-4 FPGA Implementation of the Fault Tolerant Model with Option3 AE 
XC2VIOOO, f = 25 MHz 
FPGA Power f max 
Option3 IP Core 
Utilization (mW) (MHz) 
1226 (23%) 
Option3 AES 1130 90 
40 (100%) 
Option3 AES + 1695 (33%) 
2412 75.4 
EDA 40 (100%) 
Overhead 38 % 131 % -16 % 
For both fault-tolerant AES implementations, Option 1 +EDA and Option3+EDA 
the throughput remains 267 Mbps at 25 MHz. However, as it can be een from Table 
5-3 & Table 5-4 the maximum frequency of operation is lower, which is due to the 
addition of Hamming code comparators in the data path. It is clear from Table 5-3 & 
Table 5-4 that the Option3+EDAC implementation consumes more power compared 
to the Option 1 +EDAC. It can al 0 be observed from Table 5-3 and Table 5-4 that the 
FPGA device utilization overhead for Option3+EDA i lower by 11 % and the power 
consumption overhead is lower by 21 %. Even though the overhead of th 
Option3+EDAC implementation is smaller compared to Option 1 +EDA , it ha 
higher area and power consumption. Hence the Option 1 ba ed fault-tolerant 
implementation i a more favorable option for on-board use. ompared with the TMR 
technique for SEU mitigation [14], the proposed approach provide better results in 
terms of area and power. 
5.5 System-on-a-Chip Approach to On-Board Encryption 
As discussed in Section 3.1, the main components of EO satellite are sub ystem like 
command and data handling, attitude determination, power propul ion, imaging 
payload etc. All the e subsy terns are interconnected to each other thr ugh an on-
board bus or network. 
123 
Chapter 5. Fault Tolerant Model of the AES 
In conventional satellite design, subsystems are physically separate from one another 
and each of the subsystem is composed of a combination of circuit boards and 
components. But the latest trend in satellite design is towards miniaturization of the 
satellite platforms. One of the contributing factors to miniaturization of the computing 
system is implementing aBC and the computing units in the other subsystems on a 
single chip using System-on-a-Chip (SOC) design. 
HOLC CAN 
~ 
System On Chip (SOC) 
FPGA 
I OMA Controller I I HOLC Controller I I 
Spec;eWre 
I I CAN Controller Controller 
AMBA APB Bus I I I 
AMBAAHBBus 
I I r 
l TImers I I Memory r Leon cpu 1 AES Controller IPCore 
@J~ 
Voltage 
elk JTAG Reguilltc 
Figure 5-12 Generic Architecture of Embedded IP Core-Based SOC 
The research team at the Surrey Space Centre of University of Surrey has a long-term 
research goal, codenamed ChipS at, which aims to apply advanced micro and 
nanotechnologies to small satellites [71,113,114]. As part of this programme a generic 
on-board computing platform is developed, which is implemented as a programmable 
SOC through the use of high density FPGAs. An FPGA-based SOC platform offers 
many potential advantages including low cost, very large scale integration, low 
power, short time to market, and easy field upgrades of entire systems. 
Computing on-board satellites is undertaken by a number of embedded 
microcontrollers, which are connected via a local data network. These controllers 
perform data processing and control functions related to different sub-systems. A 
124 
Chapter 5. Fault Tolerant Model of the AES 
typical SOC system consists of a number of functional modules such as one or more 
processors, high performance peripherals, DMA controllers and interfaces, 
represented by IP cores from different vendors and implemented on a single chip. 
Figure 5-12 shows a generic architecture of an IP core based SOC for embedded 
systems. 
The central processing unit of the SOC is the LEON microprocessor, which is a 
SPARC V8 soft IP core and written in VHDL [109]. The SPARC architecture is RISC 
architecture with typical features like linear 32-bit address space and few and simple 
instruction formats. A memory controller and some on-chip peripherals such as 
UARTs, timers, interrupt controller and 16-bit VO port are integrated. The LEON IP 
core uses the AMBA-2.0 advanced high-performance bus (AHB) and advanced 
peripheral bus (APB) as on-chip bus. The AHB is for interfacing of high-performance 
system modules. 
The SOC is an AMBA bus centric design. Therefore, any components with AHB and 
APB interface can be added to the chip. For highly intensive computation, one or 
more additional LEON processors can be plugged in. An on-board computer SOC 
based on the LEON2 processor was successfully implemented on a VirtexSOO FPGA 
[71]. Data processing IP cores such as AES can also be connected to AMBA bus as 
shown in Figure 5-12. 
LEON is a highly configurable 32-bit processor IP core developed by Gaisler 
Research [109]. In order to speed-up the on-board computations LEON processor can 
be configured to provide generic interface to a special-purpose Co-Processor (CP) and 
an interface to the Meiko floating-point unit (FPU) core as shown in Figure 5-12. The 
Co-Processor was developed in an earlier project at SSC. The Co-Processor is based 
on the CO-ordinate Rotation DIgital Computer (CORDIe) algorithm [116]. The other 
way to speedup the floating-point computations is to make use of FPU interface 
provided by the Leon with Meiko FPU core available from Sun Microsystems [115]. 
The Meiko FPU supports all single and double precision floating-point instructions as 
defined in the SP ARC Architecture VS. 
125 
Chapter 5. Fault Tolerant Model of the AES 
A set of peripheral block which are particularly relevant to the space application are a 
high level data link controller (HDLC) interface, a controller area network (CAN) 
interface, a SpaceWire interface etc. The SpaceWire standard is developed for usage 
in spacecraft applications. SpaceWire is a serial interface for a point-to-point 
connection. It is used to connect other spacecraft components to the OBC. It supports 
full-duplex data transmission with data rates from 2 MbitJs to 400 MbitJs [114]. The 
High-level Data Link Control (HDLC) protocol is used on SSTL small satellite 
missions for up- and downlink transfers from the spacecraft to the ground station. As 
the name suggests, the HDLC is a second-layer protocol in the OSI reference model. 
Data rates up to 10 MbitJs are used for the up- and down-link. A further interface 
standard used on SSTL satellites is the Controller Area Network (CAN). It is a serial 
bus interface and was developed by Bosch for car applications. Its maximum data 
transfer rate is up to 1 MbitJs and it is also used to link the OBC with other spacecraft 
components [12,114]. 
The fault-tolerant AES IP core developed as a result of this research will be integrated 
with the LEON processor to implement an on-board SOC-based crypto-processor. A 
feasibility study on the integration of AES IP cores onto the AMBA bus has been 
undertaken [108]. The AES86 IP core available from [117] is used in the study. A 
wrapper is developed in order to connect the AES86 core to the AMBA bus. AES86 
occupies 15% of the available slices in the Xilinx Spartan-3 FPGA device XC3S1500 
and utilizes 152 m W of power. 
A conceptual view of an SOC approach to AES implementation in a DMC payload is 
presented in Figure 5-13. The DMC payload data handling block diagram is shown in 
Figure 3-6. The SOC based encryption module is introduced just before the 
transmitters. The speed of the downlink in AISat DMC is 40 Mbps [12]. Hence in 
order to encrypt and transmit the images in real-time the SOC needs to encrypt the 
data at the rate of 40 Mbps. 
126 
Multi Spectral 
Camera 
SSDR 
4 Gbit 
Chapter 5. Fault Tolerant Model of the AES 
SSDR 
1 Gbit 
Antenna 
Multi Spectral 
Camera 
SSDR 
4Gbit 
Figure 5-13 Block Diagram of SOC Based Encryption Approach to DMC Payload 
5.6 Conclusion 
In this chapter, SEU propagation in the popular modes of the AES such as ECB, CBC, 
OFB, CFB and CTR have been discussed in detail and their advantages and 
disadvantages for encryption of satellite images. In addition, an analysis of faults that 
occur during transmission due to noise is carried out, as satellite channels are very 
nOIsy. 
In order to avoid data corruption due to SEUs, a fault detection and correction model 
of AES is proposed based on the Hamming code (12,8). The model provides an SEU 
self-recovering capability, which is built in the AES data path. Also FPGA 
implementation is carried out to calculate the area and power consumption overhead 
of the proposed fault correction model. The fault-tolerant model of the AES provides 
adequate processing speed of 267 Mbps on a Xilinx Virtex 2 FPGA, which is in 
excess of the typical data rate in small EO satellites of 25 Mbps. Also it consumes a 
very small portion of the power available to the payload unit. The estimated hardware 
overhead of the optimal fault-tolerant AES IP core is 49 % in terms of area and 152 % 
127 
Chapter 5. Fault Tolerant Model of the AES 
in tenns of power. The model can be extended for detection and correction of multiple 
bit faults by using other more-sophisticated error-correcting codes such as modified 
Hamming code, Reed-Solomon codes etc. 
The proposed fault detection and correction AES model targets the satellite 
application domain, however it can also be used in other applications aimed at hostile 
environments such as nuclear reactors, interplanetary exploration, unmanned aerial 
vehicles, etc .. Terrestrial applications, which require a high level of reliability, such as 
bank servers, telecommunication servers, etc. can benefit from the use of AES fault-
tolerant techniques too. 
Finally, a conceptual view of using a SOC approach to AES implementation is 
discussed. A block diagram of SOC based encryption for DMC satellite imaging 
payloads is also presented. 
128 
Chapter 6. Conclusions & Future Work 
Chapter 6 
6 Conclusions & Future Work 
6.1 Conclusions 
This thesis presented a novel research study of compact and robust implementations 
of cryptographic algorithms for EO satellites on-board use. The recent cases of 
unauthorized access to satellite data and the increasing demand for on-board security 
measures are the motivation for this research study. 
The amount of data during downlink is very huge in EO satellites and at the same 
time satellites, particularly small satellites, has very limited power and computational 
resources as in terrestrial embedded systems. In addition, satellites operate in a harsh 
radiation environment and consequently any processor used on board, including the 
encryption processor, is susceptible to radiation-induced faults. So the encryption 
algorithm used on-board should be robust to radiation induced faults and at the same 
time capable of providing high-speed encryption without consuming much power and 
processing resources, without compromising in security (tough to break). With these 
constraints in mind a novel compact fault tolerant model of the latest encryption 
algorithm has been proposed in this thesis. 
In order to protect the valuable infonnation generated by the sophisticated on-board 
payloads, the AES has been identified as the suitable algorithm to perfonn the 
encryption of high data rate downlink. The novel contributions of this research are 
listed below in the order of importance. 
129 
References 
Novel Fault Propagation Analysis using AES Modes 
Most of the faults that occur in satellite on-board electronic devices are radiation 
induced bit flips called single event upsets (SEUs). This thesis presents a novel fault 
tolerant model to mitigate SEUs occurring on-board to avoid faulty data transmission 
to ground station. 
A detailed novel analysis of the impact of faults during on-board encryption for five 
most commonly used AES modes such as ECB, CBC, OFB, CFB and CTR is 
presented and their advantages and disadvantages for encryption of satellite images. 
From the analysis it has been observed that SEU inflicted single-bit errors can 
propagate from one block to multiple blocks depending on the mode of operation. In 
case of the ECB, CBC, CFB and CTR modes a single SEU corrupts one block of data 
whereas in case of the OFB mode it can propagate to the whole data starting from the 
point where the SEU has occurred. Hence OFB mode is not suitable to satellite on-
board use. ECB is also not suitable as it reveals patterns in the encrypted output. Out 
of the remaining three modes CBC is also not suitable for satellite applications as it is 
a block cipher mode and hence the speed of the processing is limited. The remaining 
modes CFB and CTR are more suitable for on-board use as they both are stream 
ciphers and hence high speed can be achieved by using parallel processing and also 
the propagation of the SEU faults is limited to just one block. 
In addition, the impact of faults in the data occurring during transmission to ground 
due to noisy channels is also discussed and compared for all the five modes of AES. 
Novel Fault Tolerant Model of the AES 
In order to avoid data corruption due to SEUs, a fault detection and correction model 
of AES is proposed based on the Hamming code (12,8). The model provides an SEU 
self-recovering capability, which is built in the AES data path. Also FPGA 
implementation is carried out to calculate the area and power consumption overhead 
of the proposed fault correction model. The fault-tolerant model of the AES provides 
adequate processing speed of 267 Mbps on a Xilinx Virtex 2 FPGA, which is in 
130 
References 
excess of the typical data rate demanded by small EO. Also it consumes a very small 
portion of the power available to the payload unit. The estimated hardware overhead 
of the optimal fault-tolerant AES IP core is 49 % in terms of area and 152 % in terms 
of power. The model can be extended for detection and correction of multiple bit 
faults by using other more-sophisticated error-correcting codes such as modified 
Hamming code, Reed-Solomon codes etc. 
The proposed fault detection and correction AES model targets the satellite 
application domain, however it can also be used in other applications aimed at hostile 
environments such as nuclear reactors, interplanetary exploration, unmanned aerial 
vehicles, etc .. Terrestrial applications, which require a high level of reliability, such as 
bank servers, telecommunication servers, etc. can benefit from the use of AES fault-
tolerant techniques too. 
Design Space Exploration of the AES 
Various implementations of the AES algorithm using both the algorithmic and 
architectural optimization techniques have been carried out and design parameters are 
explored in order to identify a suitable implementation approach for space 
applications. 
Algorithmic optimisations are divided into different options such as Optionl, 2 &3. 
All these three options have been implemented on Xilinx family FPGAs using soft IP 
cores and throughput, area, power etc. have been extracted. Three other AES 
implementations using architectural optimizations such as pipelining and sub-
pipelining have been carried out and evaluated in terms of throughput, area, power. It 
is demonstrated that architectural optimizations reduce power and energy 
consumption of the AES implementations considerably compared to algorithmic 
optimizations but at the expense of FPGA area. 
From the analysis of the implementations it is observed that Optionl is the optimal 
choice for EO satellite applications, where throughput needs to be in the order of 
hundreds of Mbps but should consume less device area and power. Option 1 consumes 
a very small portion of the power available to the payload unit. In addition, Optionl 
131 
References 
implementation has been implemented on various other Xilinx family FPGAs such as 
Spatran 3, Virtex, Virtex 4 and analysis has been carried out to explore the role of 
technology on design parameters. It is also recommended to use low power FPGAs 
such as Spatran 3 or Virtex 4 to further bring down the power consumption of the 
AES implementations. 
On-Board Security Block Diagram 
A review of on-board security architectures, algorithms and services used in existing 
satellites has been done and summarized. This research have identified the necessary 
security services required to protect the satellite links and presented the security 
architecture for small EO satellites. 
6.2 Future Work 
The main areas of future work are suggested as follows. 
Applying Sophisticated Error Correction Codes 
The proposed fault-tolerant model is based on Hamming (12,8) and it will detect and 
correct single bit errors during encryption. However the model can be extended for 
detection and correction of multiple bit faults by using other more-sophisticated error-
correcting codes such as modified Hamming code, Reed-Solomon codes etc. Further 
study of how these codes can be effectively applied to AES needs to be carried out. 
Erasure Codes 
The proposed fault tolerant scheme is internal to the AES algorithm. It is possible to 
implement an EDAC function that is external to the AES algorithm using erasure 
codes [100]. Other than OFB mode, all other modes propagate faults occurring during 
encryption to just one block and hence a fault tolerant scheme based on erasure code 
will be more effective in tenns of processing overhead. In the implementation of the 
erasure codes, the overhead caused by the additional encoding stage to encode the 
plain data blocks to codeword symbols needs to be evaluated. Also the impact of 
SEUs on the encoder needs to be further taken care of. 
132 
References 
FPGA-Based SOC Approach to On-Board Encryption 
In recent years lot of research is being carried out in SOC based satellite design and 
the details can be found at [71,108]. In [71,108], the core of the SOC is built upon the 
Leon SP ARC V8 microprocessor IP core, a full featured 32-bit microprocessor core 
developed by European Space Agency [109]. This research was intended to connect 
the fault tolerant AES IP core to the Leon microprocessor through the on-chip bus. 
But because of lack of time this area of research was not completed. A step towards 
this task is carried out in [108], however integration of the AES IP Core into the SOC 
based design needs to be further carried out to completion on FPGA prototyping 
board. 
Key Management for Satellites 
Key management is very vital issue in any application either terrestrial or space. Any 
secure system is just as secure as its key management policy. A step in this direction 
has been carried out in [107]. However a complete analysis of proposed key 
management schemes needs to be evaluated further. 
133 
References 
References 
[1] Simon Singh, "The Code Book - The Science of Secrecy from Ancient Egypt to 
quantum cryptography", Anchor, 2000. 
[2] W. Stallings "Cryptography and Network Security - Principles and Practices", 
3rd edition, Prentice-Hall, 2002. 
[3] B. Schneier, "Applied Cryptography - Protocols, Algorithms and Source Code 
in C", Wiley, Second Edition, 1995. 
[4] US Government Accountability Office Report "Critical Infrastructure 
Protection. Commercial Satellite Security Should Be More Fully Addressed", 
GAO-02-781, August 2002. 
[5] "Security Threats against Space Missions", Informational Report CCSDS 350.1-
G-I, Green Book, October 2006 
[6] C. Baird, "U.S. satellites won't be watching alone", St.Petersburg Times, March 
15,2003. http://www.globalsecurity.org!org!newsl2003/030315-satellites01.htm 
[Accessed 25 Aug 2007]. 
[7] W. Knight, "Critical US satellites could be hacked", NewScientist, October 
2002, URL:htq?://www.newscientist.com/newsinews.jsp?id=ns99992905 
[Accessed 25 Aug 2007] 
[8] Dr K. Sweet, "The Increasing Threat to Satellite Communications" Online 
Journal of Space Communication, Issue 6, November 2003 
[9] K. Poulsen, " Satellites at Risk of Hacks", Security Focus, Oct 2002, URL: 
http://www.securityfocus.com/news/942. [Accessed 25 Aug 2007]. 
[10] NASAlGSFC. "IP-in-Space Security Handbook", September 2001. 
URL:http://ipinspace.gsfc.nasa.KQv/documentsl. [Accessed 25 Aug 2007]. 
[11] T. Vladimirova, R. Banu and M. N. Sweeting. "On-Board Encryption in 
Satellites" - Proceedings of the 8th Military and Aerospace Applications of 
Programmable Logic Devices and Technologies International Conference 
(MAPLD'2005), F-184, September 2005, Washington DC, US, NASA. 
[12] Surrey Satellite Technology Ltd, www.sstl.co.uk [Accessed 25 Aug 2007]. 
134 
References 
[ 13] Directory of Earth Observation Resources. 
http://directory.eoportal.org/pres TopSat.html [Accessed 25 Aug 2007]. 
[14] W. Sun, P. Stephens, M. N. Sweeting. "Micro-Mini satellites for Affordable EO 
Constellations - RapidEye and DMC"- Proceedings of the IAA Symposium on 
Small Satellites for Earth Observation, Berlin, IAA-B3-0603, April 2001 
[15] H. Weiss, J. Stanier, "Space Mission Communications Security", 5th Ground 
System Architecture Workshop (GSAW) 2001, 
http://sunset. usc.edulevents/GSA W Igsaw200 1 ISESSION9/Shave.pdf [Accessed 
25 Aug 2007]. 
[16] J.Guttlich, N.Sinander, E.Schaffner, "MeteoSat Second Generation (MSG) 
Ground Segment - LRITIHRIT Mission Specific Implementation", Doc No. 
EUMIMSG/SPE/057, Issue 4.0, 21st September 1999. [Accessed 25 Aug 2007]. 
[17] H.Michalik, L.Hinsenkamp,A.Schonenberg, " Secure space links - Impacts on 
on-board link data processing", Data Systems In Aerospace (DASIA 2006), 
Berlin, Germany, 22-25 May 2006 
[18] "The application of CCSDS protocols to secure systems", Informational Report 
CCSDS 350.0-G-2, Green Book, January 2006 
[19] J.Daemen and R.Rijmen, 'The Design of Rijndae1: AES - The Advanced 
Encryption Standard. Spriger-Verlag publication, 2002. 
[20] The Rijndae1 Home Page, http://www.esat.ku1euven.ac.bel-rijmenlrijndael 
[Accessed 25 Aug 2007]. 
[21] "AES Validation List", September 2004, 
http://csrc.nist.gov/cryptval/aeslaesval.html [Accessed 25 Aug 2007]. 
[22] Xilinx Website, www.xilinx.com. [Accessed 2S Aug 2007]. 
[23] OMNI project document "NASAlGSFC Space Internet: 
Extending Internet Technology Into Space", 2001 
http://ipinspace.gsfc.nasa.gov/documentsl. [Accessed 2S Aug 2007]. 
[24] M.S.Gussenhoven, E.G.Mullen, "Space Radiation Effects Program: An 
Overview", IEEE Transactions on Nuclear Science, Vol. 40, Issue 2, April 
1993, Pages: 221-227 
[25] A.F. Leon, "Field Programmable Gate Arrays in Space", IEEE Instrumentation 
and Measurements Magazine, Volume 6, Issue 4, Dec 2003, Pages: 42-48 
13S 
References 
[26] R. Banu and T. Vladimirova, "Investigation of Fault Propagation in Encryption 
of Satellite Images Using the AES Algorithm", Proceedings of 25th IEEE 
Military Communications Conference (MILCOM 2006), 23-25 October 2006, 
Washington D.C., USA, Pages: 1 - 6 
[27] R. Banu and T.Vladimirova, "On-Board Encryption in Earth Observation Small 
Satellites", Proceedings of 40th IEEE International Carnahan Conference on 
Security Technology (ICCST 2006), 16-19 October 2006, Kentucky, USA, 
Pages: 203 - 208 
[28] C.I. Underwood, " The Single-Event Effect Behavior of Commercial-Off-the-
Shelf memory devices - A Decade in Low Earth Orbit", IEEE Transactions on 
Nuclear Science, Volume 45, Issue 3, Part 3, June 1998, Pages: 1450-1457. 
[29] P. Kumar," J2EE Security for Servlets, EJBs and Web Services", Prentice Hall 
PTR,2004 
[30] H.X. Mel, Doris M. baker and Steve Brunett, "Cryptography Decrypted", 
Addison-Wesley Professional, 2000 
[31] Niels Ferguson and Bruce Schneier, " Practical Cryptography", Wiley, 2003 
[32] Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, " Handbook of 
Applied Cryptography", CRC, 1996. 
[33] Dr. James Heather, Lecture Notes of Security and Cryptography, CSMI4, 
University of Surrey, UK, 
http://www.computing.surrey.ac. uklpersonal/st/J .Heather/teaching/crypto/2007 / 
[Accessed 25 Aug 2007]. 
[34] Source code for AES In C/C++ by Brain Gladman, 
http://fp.g1adman.plus.comlAES/index.htm [Accessed 25 Aug 2007]. 
[35] NIST Home Page for Rijndael Algorithm, csrc.nist.gov/encryption/aeslrijndaeV 
[36] X.Zhang, K.K. Parhi, "Implementation Approaches for the Advanced 
Encryption Standard Algorithm", IEEE Circuits and Systems Magazine, 
Volume 2, Issue 4, Fourth Quarter, 2002, Pages: 24 - 46. 
[37] W.E. Burr, "Selecting the Advanced Encryption Standard", Security & Privacy 
Magazine, IEEE, Volume: 1, Issue: 2, Mar-Apr 2003, Pages: 43 - 52. 
[38] Zhang X, Parhi,K K "High-Speed VLSI Architecture for the AES Algorithm", 
IEEE Transaction on VLSI Systems, Vol. 12, No 9, September 2004, Pages: 
957 -967. 
136 
References 
[39] D. Hwang, P. Schaumont, Y. Fan, A. Hodjat, B.C. Lai, K. Sakiyama, S. Yang, I. 
Verbauwhede, "Design flow for HW / SW acceleration transparency in the 
ThumbPod secure embedded system," 2003 Design Automation Conference, 
Los Angeles, June 2003, Pages:60 - 65. 
[40] T.Wollinger, J.guajardo, C.Paar, "Cryptography in Embedded Systems: An 
Overview" Proceedings of the Embedded World Exhibition and Conference, 
Design & Elektronic, Nuernberg, Germany, February 18-20, 2003, Pages: 735-
744 
[41] S.Ravi, A. Raghunathan, N.Potlapalli, M.sankardass, "System Design 
Methodology for a Wireless Security Processing Platform", Proceedings of 39th 
IEEE Design Automation Conference (DAC), 2002, Pages: 777-782. 
[42] A.Hodjat, I.Verbauwhede, "Interfacing a High Speed Crypto Accelerator to an 
Embedded CPU, Proceedings of 38th IEEE Conference on Signals, Systems and 
Computers, Nov. 2004, Pages: 4888-492. 
[43] Henry Kuo, Varbauwhede, P.Schaumont, "A 2.29 Gbits/sec, 56mW non-
pipelined Rijendael AES Encryption IC in 1.8V, 0.18um CMOS Technology", 
IEEE Custom Integrated Circuits Conference, 2002. 
[44] I. Papaefstathiou, V.Papaefstathiou, C.Sotiriou, " Design-space exploration of 
the most widely used cryptographic algorithms", Journal of Microprocessors 
and Microsystems, Elsevier, Volume 28, Issue 10, December 2004, Pages: 561-
571. 
[45] A.Hodjat, D.Hwang, B.C. lai, K.Tiri, I.Verbauwhed," A 3.84 Gbps AES Crpto 
Coprocessor with Modes of Operation in a 0.18um CMOS Technology", ACM 
Great Lake Symposium on VLSI (GLSVLSI), April 17-19, 2005. 
[46] A. Hodjat, " Area- Throughput Trade-offs for Fully Pipe-lined 30 to 70 Gbps 
AES Processors", IEEE Transactions on Computers, Vol 55, No 4, April 2006, 
Pages: 366-372. 
[47] N.Kim, T.Mudge, R.Brown, "A 2.3 Gb/s Fully Integrated and Synthesizable 
AES Rijndael Core", Proceedings of IEEE Conference on Custom Integrated 
Circuits, September 2003, Pages: 193-196. 
[48] C.Su, T.Lin, C.Huang, C.Wu,"A high-Throughput Low-Cost AES Processor", 
IEEE Communications Magazine, Dec 2003, Volume 41, Issue 12, Pages: 86-
91. 
137 
References 
[49] S.Mangard, M.Aigner, S.Dominikus, "A highly Regular and Scalable AES 
Hardware Architecture", IEEE Transactions on Computers, VoI.S2, No.4, April 
2003, Pages: 483-491. 
[SO] Y. Lai, L.Chang, L.Chen, C.Chou, C.Chiu, " A Novel Memoryless AES Cipher 
Architecture For Networking Applications", IEEE Proceedings of the 2004 
International Symposium on Circuits and Systems, May 2004, Volume 4, 
Pages:333-336. 
[SI] D. Mukhopadhyay, D.RoyChowdhury, .. An Efficient End To End Design of 
Rijndael Cryptosystem in 0.18 u CMOS", Proceedings of the 18th International 
Conference on VLSI Design held jointly with 4th International Conference on 
Embedded Systems Design, Jan.200S, Pages: 40S-410. 
[S2] M. Feldhofer, J.Wolkerstorfer, V.Rijmen, " AES Implementation on a Grain of 
Sand", lEE proceedings of Information Security, Oct 200S, Volume IS2, Issue 
1, Pages: 13-20. 
[S3] A.J.Elbirt, W.Yip, B.Chetwynd, C.Paar, "An FPGA-Based Performance 
Evaluation of the AES Block Cipher Candidate Algorithm Finalists", IEEE 
Transactions on VLSI Systems, Vol. 9, Issue 4, August 2001, Pages: 545-557. 
[S4] N.S.Saqib etal," AES Algorithm Implementation - An efficient Approach for 
Sequential and Pipelining Architectures", Proceedings of 4th Mexican 
International Conference on Computer Science, 2003. 
[55] P. Chodowiec and K. Gaj, "Very Compact FPGA Implementations of the AES 
Algorithm", CHES 2003, Proceedings, LNCS Vol. 2779 ,Pages: 319-333 
[56] F.X.Standaert, G.Rouvroy, J.J.Quisquater, J.D.Legat," A methodology to 
Implement Block Ciphers in Reconfigurable Hardware and its Application to 
Fast and Compact AES Rijndael", Proceedings of FPGA 2003 Conference, 
February 23-252003, Monterey, California, Pages: 216- 224. 
[57] J. Zambreno, D. Nguyen, A. Choudhary, "Exploring ArealDelay Tradooffs in an 
AES FPGA Implementation", Springer-Verlag, FPL 2004, LNCS 3203, Pages: 
575-585 
[58] D. Kotturi, Soong-Moo Yoo, J.Blizzard , "AES Crypto Utilizing High-Speed 
Parallel Pipelined Architecture", IEEE International Symposium on Circuits and 
Systems, 23-26 May 2005, Pages: 4653 - 4656 
138 
References 
[59] C. Chitu, D.Chien, C.Chien, I.Verbauwhede, F.Chang," A Hardware 
Implementation In FPGA of the Rijndael Algorithm", IEEE 45th Midwest 
Symposium on Circuits and Systems, Volume 1, 4-7 Aug. 2002, Pages. 507-10 
[60] M. McLoone, J.V. McCanny, "Generic architecture and semiconductor 
intellectual property cores for advanced encryption standard cryptography", lEE 
Proceedings of Computer and Digital Techniques, Volume 150, Issue 4, 18 
July 2003, Pages: 239 - 244. 
[61] F. Rodriguez-Henriquez, N.A. Saqib, A. Diaz-Perez,"4.2 Gbitls single-chip 
FPGA implementation of AES algorithm", Electronic letters, Volume 39, Issue 
15, 24 July 2003, Pages:1115 - 1116 
[62] Jhing-Fa Wang; Sun-Wei Chang; Po-Chuan Lin;," A Novel Round Function 
Architecture for AES Encryption/Decryption Utilizing Look-up Tables", 37th 
IEEE International Carnahan Conference on Security Technology, 14-16 Oct. 
2003, Pages: 132 - 136. 
[63] G. Rouvroy, "Compact Efficient Encryption/Decryption Module for FPGA 
Implementation of the AES Rijndael Very Well Suited for Small Embedded 
Applications", IEEE International Conference on Infonnation Technology, 
Coding and Computing, Volume 2, 2004, Pages: 583 - 587. 
[64] A. Hodjat, I.Verbauwhede," A 21.54 Gb/s Fully Pipelined AES Processor on 
FPGA", Proceedings of the Ith Annual IEEE Symposium on Field-
Programmable Custom Computing Machines, 20-23 April 2004, Pages: 308 -
309. 
[65] T.Good, M.Benaissa, "Very Small FPGA Application-Specific Instruction 
Processor for AES", IEEE Transactions on Circuits and Systems, Volume 53, 
Issue 7, July 2006, Pages: 1477 - 1486. 
[66] John R. Vacca, "Satellite Encryption", Academic Press Inc, 1998. 
[67] M.Richharia, "Satellite Communications Systems: Design Principles", 
McGraw-Hill Education, 1995. 
[68] Intelsat, www.intelsat.com [Accessed 25 Aug 2007]. 
[69] "Classification of Satellites", centaur.sstl.co.uklSSHP/sshp _ classify.html 
[Accessed 25 Aug 2007]. 
139 
References 
[70] S. Yuhaniz, T.Vladimirova and M.Sweeeting, "Embedded Intelligent Imaging 
On-Board Small Satellites". Proceedings of ACSAC 2005, LNCS 3740, 
Springer-Verlag Berlin Heidelberg, 2005. PP. 90 - 103 
[71] D. Zheng, "Reconfigurable System-on-a Chip Based Platform for Satellite On-
Board Computing", PhD Thesis, University of Surrey, 2005 
[72] P. Stephens, J. Cooksley, A.Curiel, L.Boland etal, " Launch of the International 
Disaster monitoring Constellation; the development of a novel international 
partnership in space", Proceedings of International Conference on Recent 
Advances in Space Technologies, 20-22 Nov 2003, Pages: 525-535. 
[73] Disaster Monitoring Constellation Launched, 
zenit.sstl.co.ukldocuments/SNews4.pdf[Accessed 25 Aug 2007]. 
[74] A.Chikouche, "Implementation of On board Watermarking for satellite Images", 
PhD Thesis, University of Surrey, 2004. 
[75] N. Ismailoglu, O. Benderli, S. Yesil, R.Sever etal, "GEZGIN & GEZGIN-2: 
Adaptive Real-Time image Processing Subsystems for Earth Observation Small 
Satellites", First NASA/ESA Conference on Adaptive Hardware and Systems 
(AHS '06), 2006, Pages: 351-358. 
[76] S.Yesil, R.Sever, B.Okcan, N.lsmailoglu, "GLOGE: A Case Study of a Secure 
Data Communication Subsystem for Micro-Satellites", Recent Advances in 
Space Technologies (RAST), 2005, Istanbul. 
[77] A. Hillman, D.Comi, W.Branson, P.Rolland, "Countdown for RADSAT-2 
System Operations", IEEE International Proceedings of Geoscience and Remote 
Sensing Symposium (lGARSS'05), Volume 1,25-29 July 2005. 
[78] Simon Collard-Wexler etal, "Space Security", Library and Archives Canada 
Cataloguing in Publications Data, 2006. 
[79] N.Efford, "Digital Image Processing: A Practical Introduction Using Java". 
Addison-Wesley, 2000. 
[80] Vegetation Images Samples, 
http://www.vgt.vito.belAShtmVc24_08022000_newzealand.htm [Accessed 25 
Aug 2007]. 
[81] F. Fernanda Lima Kastensmidt, L.Carro, R.Reis, "Fault-Tolerance Techniques 
for SRAM-based FPGAs", Springer, 2006 
140 
References 
[82] S.Maqbool, "A System-level Supervisory Approach to Mitigate Single Event 
Functional Interrupts in Data Handling Architectures", PhD Thesis, University 
of Surrey, 2006. 
[83] C.1. Underwood, " The Single-Event Effect Behaviour of Commercial-Off-the-
Shelf memory devices - A Decade in Low Earth Orbit", IEEE Transactions on 
Nuclear Science, Volume 45, Issue 3, Part 3, June 1998, Pages: 1450-1457. 
[84] A.F. Leon, "Field Programmable Gate Arrays in Space", IEEE Instrumentation 
and Measurements Magazine, Volume 6, Issue 4, Dec 2003, Pages:42-48 
[85] E. Fuller, M.Caffrey, A.Salazar, C.Carmichael, J. Fabula , " Radiation Testing 
Update, SEU Mitigation, and Availability Analysis of the Virtex FPGA for 
Space Reconfigurable Computing", Proceedings of Military and Aerospace 
Applications of Programmable Logic Devices and Technologies International 
Conference (MAPLD 2000), September 26-28, 2000 
[86] R. Mari ani and G. Boschi, "Scrubbing and Partitioning for Protection of 
Memory Systems", Proceedings of the 11th IEEE International Symposium on 
On-Line Testing, 6-8 July 2005, Pages. 195-196 
[87] Lansing F, Lemmerman L, Walton A etal, " Needs for Communications and 
Onboard Processing in the Vision Era", IEEE International Geoscience and 
Remote Sensing Symposium, Volume 1, 24-28 June 2002, Pages:375 - 377 
[88] E.Oswald etal, "State of the Art in Hardware Architectures", Report of 
European Network of Excellence in Cryptology, Revision 1.0, IST-2002-
507932, September 2005. 
[89] Modelsim, www.model.com [Accessed 25 Aug 2007]. 
[90] Synplify, www.synplicity.com [Accessed 25 Aug 2007]. 
[91] XPower, www.xilinx.cQrnlXPower [Accessed 25 Aug 2007]. 
[92] John M Rabey, "Digital Integrated Circuits - A Design. Perspective", Eastern 
Economy Edition, Prentice Hall. India, 2000. 
[93] Open Cores, www.opencores.org [Accessed 25 Aug 2007]. 
[94] Anurag Tiwari, "Low Power FPGA Design Techniques for Embedded 
Systems", PhD Thesis, Computer Science Engineering, University of 
Cincinnati, 2005 
141 
References 
[95] Wilton S J E, Su-Shin Ang and Wayne Luk," The Impact of pipelining on 
Energy per Operation in field-Programmable Gate Arrays", Proc. IntI. Conf. on 
Field-Programmable Logic and its Applications, 2004, Pages: 719-728 
[96] Ray Andraka, " FPGAs cut power with pipelining", www.eetimes.com 
[Accessed 25 Aug 2007]. 
[97] G. Bertoni, L. Breveglieri, I. Koren, P. Maistri and V. Piuri, "Error Analysis and 
Detection Procedures for a Hardware Implementation of the AES", IEEE 
Transactions on Computers, Vol. 52, No.4, April 2003, Pages: 493-505. 
[98] Young-Chul Kim; Kwang-Ok Kim; Tae-Won Lee, "VLSI Implementation of an 
OFB Processor for Encryption of Real-time Data", Proceedings of the txt IEEE 
Asia Pasific Conference on ASICs, 28-30 Aug. 2000 Pages: 179 - 182 
[99] Stephen. B. Wicker, "Error-Correction Coding for Digital Communication and 
Storage", Prentice-Hall,Jan 1995. 
[100] M.G.Luby, M. Mitzenmacher, M.A. Shokrollahi and D.A. Spielman, "Efficient 
Erasure Correcting Codes", IEEE Transactions on Information Theory, Vol. 47, 
No.2, February 2001. Pages: 569-583 
[101] DJ. Costello, S. Lin, "Error Control Coding", Pearson US Imports & PHIPEs; 
2nd Revised US Ed edition, Aug 2003. 
[102] P. Sweeney, "Error Control Coding", Pearson Education Limited, 1990 
[103] Ramesh Karri, Kaijie Wu, Piyush Mishra, "Concurrent Error Detection Schemes 
for Fault-Based Side-Channel Cryptanalysis of Symmetric Block Ciphers", 
IEEE Transactions on Circuits and Systems, Dec 2002. 
[104] Mark Karposvsky, Konrad J. Kulikowski, Alexander Taubin," Robust 
Protection against Fault-Injection Attacks on Smart cards Implementing the 
Advanced Encryption Standard" , Proceedings of the 2004 International 
Conference on Dependable Systems and Networks (DSN 04), 2004. 
[105] K.Wu, R Karri, G.Kuznetsov, M. Goessel , "Low Cost Concurrent Error 
Detection for the Advanced Encryption Standard", ITC International Test 
Conference, 2004. 
[106] L. Breveglieri, I.Koren, P. Maistri, " Detecting Faults in four Symmetric Key 
block Ciphers", IEEE International Conference on Application-Specific 
Systems, Architectures and Processors, September 2004. 
142 
References 
[107] T.Mehamood, "Efficient Key Management Scheme for On-Board Encryption of 
Satellite Images", MSc Thesis, 2006, University of Surrey. 
[108] L.Hellyer, " Encryption of Multispectral Satellite Images", BEng Thesis, Surrey 
Space Centre (SSC), University of Surrey, UK, 2006. 
[109] IP Cores,Gaisler Research Home Page, www.gaisler.com [Accessed 25 Aug 
2007]. 
[110] X. Zhang, K.K.Parhi, "High-Speed VLSI Architecture for the AES Algorithm", 
IEEE Transaction on VLSI Systems, Vol. 12, No 9, September 2004, Pages: 
957 - 967. 
[111] C. Carmichael etal., "SEU Mitigation Techniques for Virtex FPGAs in Space 
Applications", Proceedings of the Military and Aerospace Applications of 
Programmable Devices and Technologies Conference (MAPLD'99), Maryland, 
September 28-30, 1999. 
[112] "Xilinx Programmable Solutions for Aerospace and Defense Applications" , 
Xilinx Documents, Xilinx Inc. 
http://www.xilinx.com/publications/prod mktg/pnOOl0783.pdf [Accessed 25 
Aug 2007]. 
[113] M.Meier, T.Vladimirova, T. Plant, A.Curiel, "DMA Controller for a Credit-
Card Size satellite OBC", Proceedings of the 7th Military and Aerospace 
Applications of programmable Logic devices and Technologies International 
Conference (MAPLD 2004), P-208, 2004, Washington DC, US, NASA 
[114] T.Vladimirova, X.Wu, .. on-Board Partial Run-Time Reconfiguration for Pico-
satellite Constellations", 1 st ESAINASA Conference on Adaptive Hardware and 
systems (AHS 2006), June 2006, Pages. 262-269 
[115] R.Banu and T.Vladimirova, "Floating-Point Unit and Mathematical Co-
Processor for a Single-Chip On-Board Computer", Proceedings of the 5th 
Postgraduate Research Conference in Electronics, Photonics, Communications 
& Networks and Computing Science (PREP 2004), 2004, University of 
Hertfordshire, Hatfield, UK 
[116] T.Vladimirova and M.N.Sweeting, "System-on-a-Chip Development for Small 
Satellite On-Board Data Handling", Journal of Aerospace Computing, 
Information and Communication, vol. 1, n 1, January 2004, AIAA, Pages.36-43. 
143 
References 
[117] AES86 Homepage http://ht-lab.comlfreecores/AES/aes.html [Accessed 25 Aug 
2007]. 
144 
Appendix B: On-Board Key Management 
Appendix A 
A. Error Correction Using Hamming Codes 
This appendix presents examples of error correction using Hamming code (12,8). 
A.I Example I 
The following example illustrates how Hamming code (12,8) corrects a single bit flip 
in a byte. Byte 67 is corrupted to 63 because of single bit flip. The procedure to 
correct is described below. 
Let data byte (d) is 63 which can be represented in binary form as 0110 00 11. The 
calculated Hamming code or parity bits (xl,x2,x3,x4) of byte 63 are tabulated as 
follows 
1 2 3 4 5 6 7 8 9 10 11 12 
xl x2 d7 x3 d6 d5 d4 x4 d3 d2 dl dO 
Data word (without parity) 0 I 1 0 0 0 1 I 
pO 0 0 I 0 0 1 
pI 0 0 1 0 0 1 
p2 I 1 1 0 1 
p3 0 0 0 1 1 
But the predicted Hamming code will be different for 63 as it is a faulty byte. The 
predicted Hamming code (yl,y2,y3,y4) is 1110 and is listed below. 
145 
Appendix C: Error Correction Using Hamming Codes 
1 2 3 4 5 6 7 8 9 10 11 12 
yl y2 d7 y3 D6 d5 d4 y4 d3 d2 dl dO 
Data word (without parity) 0 1 1 0 0 0 1 1 
pO 0 0 1 0 0 1 
pI 1 0 1 0 0 1 
p2 1 1 1 0 1 
p3 1 0 0 1 1 
Applying the correct hamming code 1110 (Predicted one) to the faulty byte 63, the 
word is - 010111010011. The decoding to identify the faulty bit works as described in 
the following table. 
1 2 3 4 5 6 7 8 9 10 11 12 Parity 
check 
pI p2 d7 p3 d6 d5 d4 p4 d3 d2 dl dO 
Received 0 1 0 1 1 1 0 1 0 0 1 1 
word 
pO 0 0 1 0 0 1 Pass 
pI 1 0 1 0 0 1 Fail 
p2 1 1 1 0 1 Pass 
p3 1 0 0 1 1 Fail 
2 + 8 =10. That means 10th bit is faulty. 
Flipping the 10th bit changes 010111010011 into 010111010111. 
Removing the Hamming codes gives the original data word of 011 0 0111 = 67 
A.2 Example 2: Detecting the mp in the hamming code 
Data word is 67 
Hamming code is 0111 
Data word (without parity) 
pO 
pI 
p2 
p3 
1 
pI 
0 
2 3 4 
p2 d7 p3 
0 
0 
1 0 
1 
5 6 7 8 9 10 
d6 d5 d4 p4 d3 d2 
1 1 0 0 1 
1 0 0 
1 0 1 
1 1 0 
1 0 1 
Parity 
bit 
0 
1 
0 
1 
11 12 
dl dO 
1 1 
1 
1 
1 
1 I 
146 
Appendix C: Error Correction Using Hamming Codes 
Data word is 67 
Hamming code is 0101 
Data word (without parity) 
pO 
pI 
p2 
p3 
1 2 3 
pI p2 d7 
Received 0 1 0 
word 
pO 0 0 
pI 1 0 
p2 
p3 
1 2 3 
pI ~2 d7 
0 
0 0 
1 0 
4 5 6 
p3 d6 d5 
0 1 1 
1 
1 
0 1 1 
4 5 6 7 8 
113 d6 d5 d4 p4 
1 1 0 
1 0 
1 0 
0 1 1 0 
1 
7 8 9 10 11 
d4 P1 d3 d2 dl 
0 1 0 1 1 
0 0 1 
0 1 1 
0 
1 0 1 1 
4th bit is flipped which is p3. So the right hamming code is - 0111 
9 10 11 12 
d3 d2 dl dO 
0 1 1 1 
0 1 
1 1 
1 
0 1 1 1 
12 Parity Parity 
check 
bit 
dO 
1 
Pass 0 
Pass 0 
1 Fail 1 
1 Pass 0 
147 
Appendix E: Fault Propagation in non-Image Satellite Data 
Appendix B 
B. Fault Propagation in Satellite Data (Non-imaging 
Data) 
This appendix canies out the fault propagation analysi using A S mode analy i In 
non-imaging data. 
This is the telemetry data from UK-DMC satellite. 
V=12, Lat = -40.6 02.6 40.0, Long = -76.2 24.1 67.3 
V=6, Lat = +10.4 02.0 14.6, Long = + 12.4 12.3 45.6 
V=10, Lat = -20.6 02.0 45.3, Long = +76.0 34.5 23.8 
V=11, Lat = +00.9 45.6 12.3, Long = -12.256.745.0 
V= 18, Lat = + 12.1 22.4 20.5, Long = -23.5 78.5 90.0 
List 1 Plain Text (telemetry) 
Error Propagation During Encryption in CDC mode 
Error injected at 'State '. 3rd round. 4th Byte, 5th bit in block 2. 
V= 12, Lat = -40.6 02.6 40.0, 
V=6, Lat = + 10.4 02.0 14.6, Long = + 12.4 12.3 45.6 
V= 10, Lat = -20.6 02.0 45.3, Long = +76.034.5 23.8 
V= ll, Lat = +00.9 45.6 12.3, Long = -12.2 56.745.0 
V= 18, Lat = + 12.1 22.4 20.5 Long = -23.5 78.5 90.0 _____ _ 
List 2 Decrypted Text With Error sing B 
14 
Appendix E: Fault Propagation in non-Image Satellit Data 
V=12, Lat = -40.6 02.6 40.0 
V=6 Lat = + 10.4 02.0 
List 3 Decrypted Text With Error in OFB Mode 
V=12 Lat = -40.6 02.6 40.0, r.-
.3 
V=6, Lat = +10.4 02.0 14.6, Long = +12.4 12.3 45.6 
V=10, Lat = -20.6 02.0 45.3, Long = +76.0 34.523.8 
V= ll Lat = +00.9 45.6 12.3, Long = -12.256.745.0 
V=18, Lat = + 12.1 22.4 20.5, Long = -23.578.5 90.0 _____ _ 
List 4 Decrypted Text With Error Using CFB Mode 
V=12, Lat = -40.6 02.6 40.0, 
V=6, Lat = +10.4 02.0 14.6, Long = +12.4 12.3 45.6 
V=10, Lat = -20.6 02.0 45.3, Long = +76.034.5 23.8 
V=11,Lat =+00.945.6 12.3 Long = -12.256.745.0 
V= 18, Lat = + 12.1 22.4 20.5, Long = -23.5 78.5 90.0 
List 5 Decrypted Text With Error sing TR Mode 
149 
Appendix E: MixColumns & SubBytes Block Diagrams 
Appendix C 
C. MixColumns & SubBytes Block Diagrams 
t 
. 
/ 
~ 
.-
Inversion 
in GF(28) 
X 
". ! .. 
8 
...... 
Affine 
-1 
Transform ~ 8 
" ...... 
....... 
....... 
Block Diagram of the SubBytes Using Composite FUed Mathamadcs 
150 
Appendix E: MixColumns & SubBytes Block Diagrams 
Block Diagram of the MixColumns Using Galois Filed multiplication 
lSI 
