A very compact Rijndael S-box
Canright, David R.
MetadataShow full item record
One key step in the Advanced Encryption Standard (AES), or Rijndael, algorithm is called the "S-box", the only nonlinear step in each round of encryption/decryption. A wide variety of implementations of AES have been proposed, for various desiderata, that effect the S-box in various ways. In particular, the most compact implementation to date of Satoh et al. performs the 8-bit Galois field inversion of the S-box using subfields of 4 bits and of 2 bits. This work describes a refinement of this approach that minimizes the circuitry, and hence the chip area, required for the S-box. While Satoh used polynomial bases at each level, we consider also normal bases, with arithmetic optimizations; altogether, 432 different cases were considered. The isomorphism bit matrices are fully optimized, improving on the "greedy algorithm." The best case reduces the number of gates in the S-box by 20%. This decrease in chip area could be important for area-limited hardware implementations, e.g., smart cards. And for applications using larger chips, this approach could allow more copies of the S-box, for parallelism and/or pipelining in non-feedback modes of AES.
Showing items related by title, author, creator and subject.
Canright, David (Monterey, California. Naval Postgraduate School, 2004); NPS-MA-04-001One key step in the Advanced Encryption Standard (AES), or Rijndael, algorithm is called the S-box, the only nonlinear step in each round of encryption/decryption. A wide variety of implementations of AES have been proposed, ...
Canright, David; Osvik, Dag Arne (2009);We explore ways to reduce the number of bit operations required to implement AES. One way involves optimizing the composite field approach for entire rounds of AES. Another way is integrating the Galois multiplications ...
Canright, David (Monterey, California. Naval Postgraduate School, 2007); NPS-MA-07-002When the Advanced Encryption Standard (AES) is implemented in hardware or software, it may be vulnerable to side-channel attacks such as differential power analysis. One countermeasure against such attacks is adding a ...