Showing papers on "AES implementations published in 2020"
TL;DR: A new definition of Probe Isolating Non-Interference (PINI) is introduced that allows both trivial composition and efficient implementations, and general composition theorems for PINI gadgets are proved that considerably simplify the analysis of complex masked implementations.
Abstract: We revisit the analysis and design of masked cryptographic implementations to prevent side-channel attacks. Our starting point is the (known) observation that proving the security of a higher-order masked block cipher exhaustively requires unrealistic computing power. As a result, a natural strategy is to split algorithms in smaller parts (or gadgets), with as main objectives to enable both simple composition (as initiated by Barthe et al. at CCS 2016) and efficient implementations. We argue that existing composition strategies allow either trivial composition with significant overheads or optimized composition with more analysis efforts. As a result, we first introduce a new definition of Probe Isolating Non-Interference (PINI) that allows both trivial composition and efficient implementations. We next prove general composition theorems for PINI gadgets that considerably simplify the analysis of complex masked implementations. We finally design efficient multiplication gadgets that satisfy this definition. As additional results, we exhibit a limitation of existing compositional strategies for the analysis of Multiple-Inputs / Multiple-Outputs (MIMO) gadgets, extend Barthe et al. definition of Strong Non-Interference (SNI) to deal with this context, and describe an optimization method to design efficient MIMO-SNI (sub)circuits. Our results allow proving the security of a recent masked AES implementation by Goudarzi and Rivain (EUROCRYPT 2017). From the implementation viewpoint, PINI implementations reach the level of performance of the best composable masking schemes for the AES Rijndael, and outperform them by significant factors for lightweight ciphers.
114 citations
14 Aug 2020
TL;DR: The Scrambled Lookup Table technique is presented for reducing the number of sequential arithmetic operations required for AES encryption, by utilizing the table matching capability available on programmable switches.
Abstract: AES is a symmetric encryption algorithm widely used in many applications. An AES implementation in the data plane can help us build in-network security and privacy applications, such as IP header encryption or onion routing. However, it is not straightforward to implement AES on today's commodity programmable switches, which may not include a dedicated cryptography co-processor and support only simple arithmetic operation and table lookup. In this paper, we present the Scrambled Lookup Table technique for reducing the number of sequential arithmetic operations required for AES encryption, by utilizing the table matching capability available on programmable switches. We demonstrate an efficient implementation of AES on the Barefoot Tofino programmable switch that encrypts 10.92Gbit, 8.76Gbit, and 7.37Gbit of data per second, for AES-128, -192, and -256 respectively, using less than 15% of the switch memory.
64 citations
TL;DR: A detailed description of the different steps of the linear decoding analysis that is used to extract the key from the encoded intermediate variables of the target challenge is given, and it is generalized to an attack methodology to break further obscure white-box implementations.
Abstract: White-box cryptography (WBC) protects key extraction from software implementations of cryptographic primitives. Many academic works have been done achieving partial results toward WBC, but a complete solution has not been found yet by the cryptography community. As a result, the industry can only on proprietary and non-publicly scrutinized white-box implementations. It is therefore of interest to investigate the obtainable resistance of an AES implementation to thwart a white-box adversary in this paradigm. To this purpose, the ECRYPT CSA project has organized the WhibOx contest as the catch the flag challenge of CHES 2017. Researchers and engineers were invited to participate either as designers by submitting the source code of an AES-128 white-box implementation with a freely chosen key, or as breakers by trying to extract the hard-coded keys in the submissions. The participants were not expected to disclose their identities or the underlying designing/attacking techniques. In the end, 94 submitted challenges were all broken, and only 13 of them held more than one day. The strongest (in terms of surviving time) implementation survived for 28 days (which is more than twice as much as the second one). It was only broken by the authors of the present paper with reverse engineering and algebraic analysis. In this paper, we give a detailed description of the different steps of our cryptanalysis. We then generalize it to an attack methodology to break further obscure white-box implementations. In particular, we formalize and generalize the linear decoding analysis that we use to extract the key from the encoded intermediate variables of the target challenge.
33 citations
9 Mar 2020
TL;DR: It is shown that this AES, with correlated noise generation as a lightweight countermeasure, can provide equivalent protection under CPA and under non-profiling DLSCA attacks, in terms of the required power traces to obtain the secret key.
Abstract: Recent works in the field of cryptography focus on Deep Learning based Side Channel Analysis (DLSCA) as one of the most powerful attacks against common encryption algorithms such as AES. As a common case, profiling DLSCA have shown great capabilities in revealing secret cryptographic keys against the majority of AES implementations. In a very recent study, it has been shown that Deep Learning can be applied in a non-profiling way (non-profiling DLSCA), making this method considerably more practical, and able to break powerful countermeasures for encryption algorithms such as AES including masking countermeasures, requiring considerably less power traces than a first order CPA attack. In this work, our main goal is to apply the non-profiling DLSCA against a hiding-based AES countermeasure which utilizes correlated noise generation so as to hide the secret encryption key. We show that this AES, with correlated noise generation as a lightweight countermeasure, can provide equivalent protection under CPA and under non-profiling DLSCA attacks, in terms of the required power traces to obtain the secret key.
19 citations
7 Dec 2020
TL;DR: In this paper, random space masking (RS-Mask) is proposed as a countermeasure against both power analysis and statistical fault analysis (SFA) techniques, which can be used to recover the secret key of ciphers even in masked implementations.
Abstract: While modern masking schemes provide provable security against passive side-channel analysis (SCA), such as power analysis, single faults can be employed to recover the secret key of ciphers even in masked implementations. In this paper, we propose random space masking (RS-Mask) as a countermeasure against both power analysis and statistical fault analysis (SFA) techniques. In the RS-Mask scheme, the distribution of all sensitive variables, faulty and/or correct values is uniform, and it therefore protects the implementations against any SFA technique that exploits the distribution of intermediate variables, including fault sensitivity analysis (FSA), statistical ineffective fault analysis (SIFA) and fault intensity map analysis (FIMA). We implement RS-Mask on AES, and show that a SIFA attack is not able to identify the correct key. We additionally show that an FPGA implementation of AES, protected with RS-Mask, is resistant to power analysis SCA using Welch’s t-test. The area of the RSMasked AES is about 3.5 times that of an unprotected AES implementation of similar architecture, and about 2 times that of a known FPGA SCA-resistant AES implementation. Finally, we introduce infective RS-Mask that provides security against differential techniques, such as differential fault analysis (DFA) and differential fault intensity analysis (DFIA), with a slight increase in overhead.
15 citations
19 Oct 2020
TL;DR: In this paper, the authors proposed an evaluation platform capable to perform emulated fault injection campaigns against modern MCUs and at the same time able to acquire experimental electromagnetic EM emissions and power traces of cryptographic computations to be used for SCA attacks.
Abstract: Cryptographic implementations are prune to Side Channel Analysis (SCA) attacks and Fault Injection (FI) attacks at the same time. Therefore, countermeasures protecting an implementation need to be evaluated against both attacks. The main contribution of this work is twofold. First, we propose an evaluation platform capable to perform emulated fault injection campaigns against modern MCUs and at the same time able to acquire experimental electromagnetic EM emissions and power traces of cryptographic computations to be used for SCA attacks. Second, we perform experimental evaluations of countermeasures protecting against both SCA and FI attacks which show that the injections of faults can dramatically reduce the effectiveness of SCA countermeasures. We evaluate two cryptographic algorithms, an AES and a PRESENT-Sbox implementation, which are protected employing different countermeasures protecting in parallel against FI and SCA attacks. The AES secure implementation is protected by hiding-based SCA countermeasures, while it uses a redundancy-based technique against FI attacks. On the other hand, the PRESENT Sbox is protected by a software implementation of a Dual-rail with Precharge Logic (DPL) countermeasure including fault detection capabilities. We present extensive experimental evaluations for the AES implementation and first results for PRESENT-Sbox showing that for both implementations the fault injections increase the efficiency of the SCA attacks and lead to very fast recoveries of the secret keys.
11 citations
TL;DR: A Fault-Resistant scheme has been proposed to secure the Advanced Encryption Standard (AES) against Differential Fault Analysis (DFA) attack.
Abstract: A Fault-Resistant scheme has been proposed to secure the Advanced Encryption Standard (AES) against Differential Fault Analysis (DFA) attack. In this paper, a hybrid countermeasure has been present...
9 citations
TL;DR: SW-AES is presented, a parallel AES implementation on the Sunway TaihuLight, one of the fastest supercomputers in the world that takes the SW26010 processor as the basic building block and presents scalable ways to efficiently run AES on many nodes.
7 citations
1 Jan 2020
TL;DR: S-Box transformation in AES Implementation is the nonlinear transformation and it provides confusion part in encryption of data processing and contributes a significant part in achieving high security.
Abstract: S-Box is implemented normally by using lookup tables (LUT) in which 256 predefined values of S-Box and the same numbers for Inverse S-Box are stored in a ROM, it offers a shorter critical depth, it is suitable for FPGA implementation in terms of gate count. In high speed pipelined designs unbreakable delay of LUT becomes a drawback. The efficiency of AES hardware implementation in terms of speed, security, size, and power consumption largely depends on its architecture Every attempt has been made by researchers to optimize one or more parameters for some specific application, either to reduce the chip area, power consumption or to increase efficiency, throughput, and security level. The different applications of society requirements demand different parameters with respect to size for mobile applications, high-speed processing for a quick response. S-Box transformation in AES Implementation is the nonlinear transformation and it provides confusion part in encryption of data processing and contributes a significant part in achieving high security. CFA-based optimization is used for reducing the area for FPGA or VLSI designs for compact mobile applications, the data security is ensured by adopting different masking techniques.
5 citations
3 Jun 2020
TL;DR: Electromagnetic radiation from an FPGA is considered and to which extent key information from an AES implementation can be deduced using a low-end oscilloscope, showing that some key bits indeed can be inferred from the measurements, despite having a far from optimal setting.
Abstract: Side-channel attacks on cryptographic algorithms targets the implementation of the algorithm. Information can leak from the implementation in several different ways and, in this paper, electromagnetic radiation from an FPGA is considered. We examine to which extent key information from an AES implementation can be deduced using a low-end oscilloscope. Moreover, we examine how the antenna's distance from the FPGA affects the results in this setting. Our experiments show that some key bits indeed can be inferred from the measurements, despite having a far from optimal setting.
5 citations
TL;DR: This work investigates electro-magnetic side-channel vulnerabilities of a GPU-based bitsliced AES implementation from the perspective of bit- level parallelism and thread-level parallelism in order to make the best of the localization effect of EM leakage with parallelism, and proposes efficient multi-bit and multi-thread combinational analysis techniques based on the intrinsic properties of bitliced ciphers and the effect of multi- thread parallelism of GPUs.
Abstract: The advent of CUDA-enabled GPU makes it possible to provide cloud applications with high-performance data security services. Unfortunately, recent studies have shown that GPU-based applications are also susceptible to side-channel attacks. These published work studied the side-channel vulnerabilities of GPU-based AES implementations by taking the advantage of the cache sharing among multiple threads or high parallelism of GPUs. Therefore, for GPU-based bitsliced cryptographic implementations, which are immune to the cache-based attacks referred to above, only a power analysis method based on the high-parallelism of GPUs may be effective. However, the leakage model used in the power analysis is not efficient at all in practice. In light of this, we investigate electro-magnetic (EM) side-channel vulnerabilities of a GPU-based bitsliced AES implementation from the perspective of bit-level parallelism and thread-level parallelism in order to make the best of the localization effect of EM leakage with parallelism. Specifically, we propose efficient multi-bit and multi-thread combinational analysis techniques based on the intrinsic properties of bitsliced ciphers and the effect of multi-thread parallelism of GPUs, respectively. The experimental result shows that the proposed combinational analysis methods perform better than non-combinational and intuitive ones. Our research suggests that multi-thread leakages can be used to improve attacks if the multi-thread leakages are not synchronous in the time domain.
23 Jul 2020
TL;DR: This work quantifies the effectiveness of unmasked and masked AES implementations in side channel mitigation and also identifies the point of leakage and approximate number of traces required to identify the leakage on the adopted mitigation technique.
Abstract: A leakage assessment / evaluation and comparative analysis on various architectures of masked AES-128 cryptographic algorithm to mitigate the side channel attack is presented. In this work, unmasked and masked implementations of S-Box for AES-128 at micro architecture level and also generation of random mask using True random number generator based on Galois ring oscillator of polynomial 16 is implemented and discussed in detail. Side Channel Leakage is evaluated by Correlation Power Analysis (CPA) and Leakage assessment using Welch's t-test. The implementations are realized in SAKURA-G Side channel evaluation Board. This work quantifies the effectiveness of unmasked and masked AES implementations in side channel mitigation and also identifies the point of leakage and approximate number of traces required to identify the leakage on the adopted mitigation technique is also presented.
1 Jan 2020
TL;DR: Evaluating AES performance on a wireless sensor node with the consideration of energy consumption shows that AES is a symmetric cipher, with less practical vulnerabilities provide sufficient levels of security for the confidentiality of the data in WSN.
Abstract: For Wireless Sensor Network (WSN) there is a strong requirement for the security as well as the confidentiality of sensing data. Any protocol design for WSNs needs to consider the limitations of sensor nodes carefully. Nowadays the Advanced Encryption Standard (AES) has attracted attention of researchers for WSN applications. AES is a symmetric cipher, with less practical vulnerabilities provide sufficient levels of security for the confidentiality of the data in WSN. This paper evaluates AES performance on a wireless sensor node with the consideration of energy consumption.
18 Nov 2020
TL;DR: In this paper, the authors presented a new method that links the analysis of ZombieLoads to differential power analysis (DPA) techniques and provided an alternative way to derive the secret key of block ciphers.
Abstract: Microarchitectural Data Sampling (MDS) [16, 18] enables to observe in-flight data that has recently been loaded or stored in shared short-time buffers on a physical CPU core. In-flight data sampled from line-fill buffers (LFBs) are also known as “ZombieLoads” [16]. We present a new method that links the analysis of ZombieLoads to Differential Power Analysis (DPA) techniques and provides an alternative way to derive the secret key of block ciphers. This method compares observed ZombieLoads with predicted intermediate values that occur during cryptographic computations depending on a key hypothesis and known data. We validate this approach using an Advanced Encryption Standard (AES) software implementation. Further, we provide a novel technique of cache line fingerprinting that reduces the superposition of ZombieLoads from different cache lines in the data sets resulting from an MDS attack. Thereby, this technique is helpful to reveal static secret data such as AES round keys which is shown in practice on an AES implementation.
1 Nov 2020
TL;DR: In this paper, the authors performed correlation power analysis (CPA) against dual complementary AES implemented on the SAKURA-G FPGA board, which is demonstrated to be robust against CPA based on HW model with 2,000 power traces.
Abstract: Field-programmable gate arrays (FPGAs) are widely used in many fields because of their low power consumption, easy design and good performance. For applications running on FPGAs, security is very important. A lot of researches have been done on the security issue of FPGA implementations, many attacks and countermeasures have been proposed. The dual complementary strategy is a countermeasure designed to thwart side channel attacks. In this paper, we perform Correlation Power Analysis (CPA) against dual complementary AES implemented on the SAKURA-G FPGA board. For dual complementary AES with constant Hamming Weight (HW) value, which is demonstrated to be robust against CPA based on HW model, we successfully recover the secret key using Hamming Distance (HD) and Switching Distance (SD) models with 2,000 power traces. For dual complementary AES with constant HD, 16,000 resp. 10,000 power traces are required to recover the key with HD resp. SD model.
26 Aug 2020
TL;DR: In this paper, the authors proposed a new correlation power analysis (CPA) technique by efficiently clustering the power traces using signal envelopes and tested it with the eight-shuffling AES implementations.
Abstract: The Correlation Power Analysis (CPA) is one of the powerful Side-Channel Analysis (SCA) methods to reveal the secret key using linear relationship between intermediate values and power consumption. To defense the analysis, many crypto-systems often embed the shuffling implementation which shuffles the order of operations to break the relationship between power consumption and processed information. Although the shuffling method increases the required number of power traces for deploying the CPA, it is still vulnerable if an attacker can classify or group the power traces by operations. In this work, we propose a new CPA technique by efficiently clustering the power traces using signal envelopes. We demonstrate theoretically reduced time complexity and tested our approach with the eight-shuffling AES implementations.
TL;DR: Cache template attack on T-table-based AES implementation consists of two phases including the profiling phase and the key exploitation phase as discussed by the authors, where most significant bits (MSBs) of the secret key bytes are retrieved by monitoring exploitable addresses.
12 Dec 2020
TL;DR: In this paper, the MLP (Multi-Layer Perceptron) and CNN (Convolutional Neural Network) deep learning models are developed to break the masked AES implementation.
Abstract: The block cipher AES (Advanced Encryption Standard) is a cryptographic algorithm used to guarantee the confidentiality of a message. A masked implementation of AES is often used to increase resistance against SCA (Side Channel Attacks). This paper presents some deep learning-based attacks for extracting AES secret keys embedded in cryptographic devices. The proposed attack methods represent new approaches to computing the secret key by applying the mask profiling techniques. The MLP (Multi-Layer Perceptron) and CNN (Convolutional Neural Network) deep learning models are developed to break the masked AES implementation. Our experimental results show the overwhelming advantages of the novel attack methods when targeting both unmasked and masked implementation of AES.
9 Nov 2020
TL;DR: In this article, a method to automate the Billet, Gilbert, and Ech-Chatbi (BGE) attack on white-box AES implementations with a specific type of external encoding is presented.
Abstract: Cloud-based payments, virtual car keys, and digital rights management are examples of consumer electronics applications that use secure software. White-box implementations of the Advanced Encryption Standard (AES) are important building blocks of secure software systems, and the attack of Billet, Gilbert, and Ech-Chatbi (BGE) is a well-known attack on such implementations. A drawback from the adversary’s or security tester’s perspective is that manual reverse engineering of the implementation is required before the BGE attack can be applied. This paper presents a method to automate the BGE attack on a class of white-box AES implementations with a specific type of external encoding. The new method was implemented and applied successfully to a CHES 2016 capture the flag challenge.
Journal Article•
TL;DR: This study suggests that GPU-based cryptographic implementations may be much vulnerable to microarchitecture-based side-channel attacks, and GPU-specific countermeasures should be considered for GPU- based cryptographic implementations in practical applications.
Abstract: Side-channel attacks are one of the greatest practical threats to security-related applications, because they are capable of breaking ciphers that are assumed to be mathematically secure. Lots of studies have been devoted to power or electro-magnetic (EM) analysis against desktop CPUs, mobile CPUs (including ARM, MSP, AVR, etc) and FPGAs, but rarely targeted modern GPUs. Modern GPUs feature their special and specific single instruction multiple threads (SIMT) execution fashion, which makes their power/EM leakage more sophisticated in practical scenarios. In this article, we study side-channel attacks with leakage from SIMT systems, and propose leakage models suited to any SIMT systems and specifically to CUDA-enabled GPUs. Afterwards, we instantiate the models with a GPU AES implementation, which is also used for performance evaluations. In addition to the models, we provide optimizations on the attacks that are based on the models. To evaluate the models and optimizations, we run the GPU AES implementation on a CUDA-enabled GPU and, at the same time, collect its EM leakage. The experimental results show that the proposed models are more efficient and the optimizations are effective as well. Our study suggests that GPU-based cryptographic implementations may be much vulnerable to microarchitecture-based side-channel attacks. Therefore, GPU-specific countermeasures should be considered for GPU-based cryptographic implementations in practical applications.
TL;DR: ESSENCE, a lightweight stream cipher scheme, which combines two different Pseudo-Random Number Generators (PRNG), and based on a dynamic key approach achieves a high level of security with minimal latency and required resources when compared to existing cipher standards such as AES.
Abstract: Data Confidentiality (DC) is considered one of the most important security services. Currently, a set of existing cipher algorithms is being used to ensure DC. However, researchers constantly investigate the design and implementation of more efficient cipher schemes. To this end, different versions of AES have been implemented efficiently on GPUs to increase the efficiency over big data. However, AES implementation on GPU exhibits limitations in terms of latency and hence, it might not be a suitable solution for high data rates in modern systems and applications. This often leads to a trade-off between system performance and security level. To address these challenges, we propose “ESSENCE”, a lightweight stream cipher scheme, which combines two different Pseudo-Random Number Generators (PRNG), and based on a dynamic key approach. The scheme achieves a high level of security with minimal latency and required resources when compared to existing cipher standards such as AES. Moreover, the implementation of the proposed dynamic key-dependent cipher scheme on GPU is more efficient compared to all existing AES implementations on GPUs. Experimental results indicate that the proposed cipher is highly efficient with a throughput more than 115 GB/s on a Titan X GPU, and more than 372 GB/s on a Titan V100 GPU. Thus, ESSENCE can be considered as a promising stream cipher candidate with high randomness degree (BigCrush of TestU01), periodicity, and key sensitivity.
22 Apr 2020
Abstract: Advanced Encryption Standard (AES), is a cryptographic algorithm used for data protection. Designing an efficient hardware architecture for AES with small hardware resource usage is a challenge. Many works are going on for the efficient implementation of AES. The cost and power consumption of the AES can be reduced considerably by optimizing the architecture of AES. AES uses different data transformations such as AddRoundKey, SubByte, ShiftRow and MixColumn transformation and KeyExpansion block. In that, the two expensive transformations in terms of computational resources are MixColumns and SubBytes transformations. In this paper, new techniques for the ASIC implementation of the above transformations and KeyExpansion block are proposed.
TL;DR: A new approach for generating S-box values and initial key required for encryption/encryption (improved key generation) using PN Sequence Generator and the AES algorithm with proposed modifications shows significant improvement in the encryption quality as compared to traditional AES algorithm.
Abstract: Data transferred in an electronic way is vulnerable to attacks With an aim to protect data for secure communication, a new Hybrid non pipelined Advanced Encryption Standard (AES) algorithm based on traditional AES algorithm with enhanced security features is proposed in this work Abysmal analysis of the AES algorithm implies that the security of AES lies in the S-box operations This paper presents a new approach for generating S-box values (modified S-box) and initial key required for encryption/encryption (improved key generation) using PN Sequence Generator The AES algorithm with proposed modifications shows significant improvement in the encryption quality as compared to traditional AES algorithm The traditional AES algorithm equipped with proposed novel modified S-box technique and improved key generation technique gives an avalanche effect of 60% making it invulnerable to attacks The proposed design is synthesized on various Field Programmable Gate Array (FPGA) devices and compared to the existing designs resulting in significant improvement in throughput The proposed design is implemented on Spartan6 FPGA device
TL;DR: This paper demonstrates a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction in the area footprint on FPGA devices and introduces the smallest first-order masked AES implementation on Xilinx FPGAs, to date.
Abstract: The effort in reducing the area of AES implementations has largely been focused on application-specific integrated circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naive implementation of the AES S-box has been the status-quo on field-programmable gate arrays (FPGAs). A similar discrepancy holds for masking schemes—a well-known side-channel analysis countermeasure—which are commonly optimized to achieve minimal area in ASICs. In this paper, we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction in the area footprint on FPGA devices. We present new AES implementations which improve on the state-of-the-art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Guneysu at ASAP 2016. We further explore the protection of such implementations against side-channel attacks. We introduce a generic methodology for masking any n-bit Boolean functions of degree t with protection order d. The methodology is exact for first-order and heuristic for higher orders. Its application to our new construction of the AES S-box allows us to improve previous results and introduce the smallest first-order masked AES implementation on Xilinx FPGAs, to date.
1 Oct 2020
TL;DR: A design is proposed using Advanced Encryption Standard (AES) and the Dynamic Partial Reconfiguration (DPR) feature of the FPGA to tackle the security problem.
Abstract: Internet of Things (IoT) is the ability of things to share useful data among each other. It is becoming one of the most crucial technologies of our generation, however, one of its biggest challenges is security. In this paper, a design is proposed using Advanced Encryption Standard (AES) and the Dynamic Partial Reconfiguration (DPR) feature of the FPGA to tackle the security problem. AES-128 is used with 128-bit input data and 128-bit key. DPR is a new feature that allows utilizing the same hardware for different functions, which minimizes area and power needed by a system. The variants of the DPR are one round of encryption and one round of decryption. The proposed design offers low hardware and low power consuming cryptographic algorithm. The average reduction in resources consumed is 33% for encryption and 29% for decryption and energy utilization is decreased by 43.75%. The proposed work is tested on ZC702 evaluation board, synthesized and implemented using Vivado 2015.2.