(advanced encryption standard)€¦ · advanced encryption standard (aes) a very compact s-box for...
TRANSCRIPT
![Page 1: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/1.jpg)
A Very Compact S-box for AES(Advanced Encryption Standard)
D. Canright
Applied Mathematics Dept.
Naval Postgraduate School
Monterey CA 93943, USA
A Very Compact S-box for AES – CHES2005 – p. 1/26
![Page 2: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/2.jpg)
Advanced Encryption Standard(AES)
A Very Compact S-box for AES – CHES2005 – p. 2/26
![Page 3: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/3.jpg)
Algorithm
AES is symmetric block cipher
from 128-bit key, a different round key generated foreach of 10 rounds
each 128-bit block processed by roundsround 0 :
Add Round Key.rounds 1-9 :
S-Box; Shift Rows; Mix Columns; Add Round Key.round 10 :
S-Box; Shift Rows; Add Round Key.
A Very Compact S-box for AES – CHES2005 – p. 3/26
![Page 4: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/4.jpg)
step1: Add Round Key
for whole 128-bit block:
in ⊕ key → out
where ⊕ is bitwise exclusive-or (XOR)(For decryption, inverse operation is identical.)
A Very Compact S-box for AES – CHES2005 – p. 4/26
![Page 5: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/5.jpg)
step2: S-Box (Byte Substitution)
for each 8-bit byte a:
1. Inverse: Let c = a−1, the inverse in GF(28)
2. Affine: The output s is M c ⊕ b:
s7
s6
s5
s4
s3
s2
s1
s0
=
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
c7
c6
c5
c4
c3
c2
c1
c0
⊕
0
1
1
0
0
0
1
1
A Very Compact S-box for AES – CHES2005 – p. 5/26
![Page 6: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/6.jpg)
step3: Shift Rows
for 4 × 4 byte matrix, rotate rows 0–3 accordingly:
a b c d
e f g h
i j k l
m n o p
→
a b c d
f g h e
k l i j
p m n o
A Very Compact S-box for AES – CHES2005 – p. 6/26
![Page 7: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/7.jpg)
step4: Mix Columns
for each 4-byte column C of 4 × 4 byte matrix:
2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2
C0
C1
C2
C3
→
D0
D1
D2
D3
where byte multiplication and addition is in GF(28)
A Very Compact S-box for AES – CHES2005 – p. 7/26
![Page 8: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/8.jpg)
nonlinearity
the steps Shift Rows, Mix Columns, & Add Round Keyare linear operations (and easy)
the S-box function is nonlinear due to the inverseoperation in GF(28) (not easy to compute)
A Very Compact S-box for AES – CHES2005 – p. 8/26
![Page 9: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/9.jpg)
nonlinearity
the steps Shift Rows, Mix Columns, & Add Round Keyare linear operations (and easy)
the S-box function is nonlinear due to the inverseoperation in GF(28) (not easy to compute)
A Very Compact S-box for AES – CHES2005 – p. 8/26
![Page 10: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/10.jpg)
Galois Fields
A Very Compact S-box for AES – CHES2005 – p. 9/26
![Page 11: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/11.jpg)
definition
A field is a set with two operations, addition ⊕ andmultiplication ⊗ :
both satisfy closure
both associative
both commutative
each has identity (0 and 1)
any element a has additive inverse −a
any nonzero element a 6= 0 has multiplicative inverse a−1
multiplication distributive over addition
A Very Compact S-box for AES – CHES2005 – p. 10/26
![Page 12: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/12.jpg)
finite fields
A finite field F has pn elements (prime p, integer n > 0).
F has characteristic p: for any a ∈ F ,a + a + · · · + a (p times) = 0.
Fields with same number of elements are isomorphic.
Over a subfield S ⊂ F , of pj elements with n = jk:F is a vector space of dimension k over S.Each a ∈ F has minimal polynomial of degree m ≤ k;
the m distinct roots a, apj
, . . . are conjugates, their sumis the trace and their product is the norm (of a).The product of all the minimal polynomials is xpn
− x
A Very Compact S-box for AES – CHES2005 – p. 11/26
![Page 13: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/13.jpg)
GF(28) Representation
standardfor GF(28)/GF(2): A = a7x
7 + · · · + a1x + a0,where ai ∈ {0, 1} and x8 + x4 + x3 + x + 1 = 0.
subfieldfor GF(28)/GF(24): A = a1x + a0 or a1x1 + a0x0,where ai, T, N ∈ GF(24) and x2 + Tx + N = 0;then for GF(24)/GF(22): A = a1x + a0 or a1x1 + a0x0,where ai, T, N ∈ GF(22) and x2 + Tx + N = 0;then for GF(22)/GF(2): A = a1x + a0 or a1x1 + a0x0,where ai ∈ {0, 1} and x2 + x + 1 = 0.
(note: T is trace and N is norm, over subfield)
A Very Compact S-box for AES – CHES2005 – p. 12/26
![Page 14: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/14.jpg)
Implementation
A Very Compact S-box for AES – CHES2005 – p. 13/26
![Page 15: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/15.jpg)
Implementation Goals
Different applications have different constraints & goals.
speed : throughput and/or latency (by parallelism, pipelining)Morioka & Satoh, Int’l Conf. Computer Design (2002), IEEE
Weaver & Wawrzynek, (2002)Jarvinen et al., FPGA 03 (2003) ACM
low power : e.g., for smart cardsMorioka & Satoh, CHES2002 (2003), LNCS 2523
small size : for limited ciruitry, e.g., also smart cardsRudra et al., CHES2001 (2001), LNCS 2162
Satoh et al., ASIACRYPT (2001), LNCS 2248
Wolkerstorfer et al., CT-RSA (2002), LNCS 2271
Chodowiec & Gaj, CHES2003 (2003), LNCS 2779
Mentens et al., CT-RSA (2005), LNCS 3376
A Very Compact S-box for AES – CHES2005 – p. 14/26
![Page 16: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/16.jpg)
small size
prior smallest: Satoh et al., used nested fields for S-box
recent improvement: Mentens et al., considered otherisomorphisms (64)
current work: more improvement —considered more isomorphisms (432), incl. normalbasesfully optimized basis-change matriceslogic-gate substitution (NOR for NAND and XORs)
A Very Compact S-box for AES – CHES2005 – p. 15/26
![Page 17: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/17.jpg)
small size
prior smallest: Satoh et al., used nested fields for S-box
recent improvement: Mentens et al., considered otherisomorphisms (64)
current work: more improvement —considered more isomorphisms (432), incl. normalbasesfully optimized basis-change matriceslogic-gate substitution (NOR for NAND and XORs)
A Very Compact S-box for AES – CHES2005 – p. 15/26
![Page 18: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/18.jpg)
small size
prior smallest: Satoh et al., used nested fields for S-box
recent improvement: Mentens et al., considered otherisomorphisms (64)
current work: more improvement —
considered more isomorphisms (432), incl. normalbasesfully optimized basis-change matriceslogic-gate substitution (NOR for NAND and XORs)
A Very Compact S-box for AES – CHES2005 – p. 15/26
![Page 19: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/19.jpg)
small size
prior smallest: Satoh et al., used nested fields for S-box
recent improvement: Mentens et al., considered otherisomorphisms (64)
current work: more improvement —considered more isomorphisms (432), incl. normalbases
fully optimized basis-change matriceslogic-gate substitution (NOR for NAND and XORs)
A Very Compact S-box for AES – CHES2005 – p. 15/26
![Page 20: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/20.jpg)
small size
prior smallest: Satoh et al., used nested fields for S-box
recent improvement: Mentens et al., considered otherisomorphisms (64)
current work: more improvement —considered more isomorphisms (432), incl. normalbasesfully optimized basis-change matrices
logic-gate substitution (NOR for NAND and XORs)
A Very Compact S-box for AES – CHES2005 – p. 15/26
![Page 21: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/21.jpg)
small size
prior smallest: Satoh et al., used nested fields for S-box
recent improvement: Mentens et al., considered otherisomorphisms (64)
current work: more improvement —considered more isomorphisms (432), incl. normalbasesfully optimized basis-change matriceslogic-gate substitution (NOR for NAND and XORs)
A Very Compact S-box for AES – CHES2005 – p. 15/26
![Page 22: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/22.jpg)
merged S-box, S-box−1
basis
2:1 mux
GF(28) inverter
affine-1, basis
basis-1, affine
basis-1
2:1 mux
in
out
Satoh architectureshares inverterbetween S-box and S-box−1
(left pathways for encryptionright pathways for decryption)
This also allows pairs of transfor-mations (input and output) to beoptimized together
A Very Compact S-box for AES – CHES2005 – p. 16/26
![Page 23: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/23.jpg)
merged S-box, S-box−1
basis
2:1 mux
GF(28) inverter
affine-1, basis
basis-1, affine
basis-1
2:1 mux
in
out
Satoh architectureshares inverterbetween S-box and S-box−1
(left pathways for encryptionright pathways for decryption)
This also allows pairs of transfor-mations (input and output) to beoptimized together
A Very Compact S-box for AES – CHES2005 – p. 16/26
![Page 24: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/24.jpg)
Main Operations - formulas
using roots of x2 + T x + N , where T is trace, N is normpolynomial basis [x, 1] inverse & multiplication:
[Γ1, Γ0]−1 = (Γ2
1N + Γ1Γ0T + Γ2
0)−1 ⊗ [ Γ1 , Γ0 + Γ1T ]
[Γ1, Γ0] ⊗ [∆1, ∆0] = [ Γ1∆0 + Γ0∆1 + Γ1∆1T , Γ0∆0 + Γ1∆1N ]
normal basis [x1, x2] inverse & multiplication:
[Γ1, Γ0]−1 = (Γ1Γ0T
2 + (Γ2
1 + Γ2
0)N)−1 ⊗ [ Γ0, Γ1 ]
[Γ1, Γ0] ⊗ [∆1, ∆0] = [ Γ1∆1T + (Γ1 + Γ0)(∆1 + ∆0)NT−1 ,
Γ0∆0T + (Γ1 + Γ0)(∆1 + ∆0)NT−1 ]
May choose T = 1 or N = 1 or NT−1 = 1; best is T = 1.
A Very Compact S-box for AES – CHES2005 – p. 17/26
![Page 25: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/25.jpg)
Main Operations - diagrams
polynomial inverter normal inverter
⊗
⊗
⊗ ⊕ ⊕
Ν⊗Γ2
Γ−1 2
2Γ1
Γ0
∆1
∆0⊗
⊗
⊗ ⊕
⊕ Ν⊗Γ2
Γ−1 2
2Γ1
Γ0
∆1
∆0
polynomial multiplier normal multiplier
⊕ ⊕
⊕ ⊕
Ν⊗Γ⊗
⊗
⊗ 2
2
Γ1
Γ0
∆1
∆0
Φ1
Φ0
⊕ ⊕
⊕ ⊕ Ν⊗Γ
⊗
⊗
⊗ 2
2
Γ1
Γ0
∆1
∆0
Φ1
Φ0
Both polynomial and normal bases require same numberand type of subfield operations.
Note that in normal inverter, each factor to multiplier isshared with another multiplier.
A Very Compact S-box for AES – CHES2005 – p. 18/26
![Page 26: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/26.jpg)
Main Operations - diagrams
polynomial inverter normal inverter
⊗
⊗
⊗ ⊕ ⊕
Ν⊗Γ2
Γ−1 2
2Γ1
Γ0
∆1
∆0⊗
⊗
⊗ ⊕
⊕ Ν⊗Γ2
Γ−1 2
2Γ1
Γ0
∆1
∆0
polynomial multiplier normal multiplier
⊕ ⊕
⊕ ⊕
Ν⊗Γ⊗
⊗
⊗ 2
2
Γ1
Γ0
∆1
∆0
Φ1
Φ0
⊕ ⊕
⊕ ⊕ Ν⊗Γ
⊗
⊗
⊗ 2
2
Γ1
Γ0
∆1
∆0
Φ1
Φ0
Both polynomial and normal bases require same numberand type of subfield operations.Note that in normal inverter, each factor to multiplier isshared with another multiplier.
A Very Compact S-box for AES – CHES2005 – p. 18/26
![Page 27: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/27.jpg)
Optimizations
factoring transformation matrices
prior work: greedy algorithmcurrent: full optimization by tree search
common subexpressionsshared factors in invertersbit sums for square&scale
logic gate substitutionXNOR for NOT XORNAND for ANDa NOR b for a XOR b XOR a NAND b
A Very Compact S-box for AES – CHES2005 – p. 19/26
![Page 28: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/28.jpg)
Optimizations
factoring transformation matricesprior work: greedy algorithm
current: full optimization by tree search
common subexpressionsshared factors in invertersbit sums for square&scale
logic gate substitutionXNOR for NOT XORNAND for ANDa NOR b for a XOR b XOR a NAND b
A Very Compact S-box for AES – CHES2005 – p. 19/26
![Page 29: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/29.jpg)
Optimizations
factoring transformation matricesprior work: greedy algorithmcurrent: full optimization by tree search
common subexpressionsshared factors in invertersbit sums for square&scale
logic gate substitutionXNOR for NOT XORNAND for ANDa NOR b for a XOR b XOR a NAND b
A Very Compact S-box for AES – CHES2005 – p. 19/26
![Page 30: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/30.jpg)
Optimizations
factoring transformation matricesprior work: greedy algorithmcurrent: full optimization by tree search
common subexpressions
shared factors in invertersbit sums for square&scale
logic gate substitutionXNOR for NOT XORNAND for ANDa NOR b for a XOR b XOR a NAND b
A Very Compact S-box for AES – CHES2005 – p. 19/26
![Page 31: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/31.jpg)
Optimizations
factoring transformation matricesprior work: greedy algorithmcurrent: full optimization by tree search
common subexpressionsshared factors in inverters
bit sums for square&scale
logic gate substitutionXNOR for NOT XORNAND for ANDa NOR b for a XOR b XOR a NAND b
A Very Compact S-box for AES – CHES2005 – p. 19/26
![Page 32: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/32.jpg)
Optimizations
factoring transformation matricesprior work: greedy algorithmcurrent: full optimization by tree search
common subexpressionsshared factors in invertersbit sums for square&scale
logic gate substitutionXNOR for NOT XORNAND for ANDa NOR b for a XOR b XOR a NAND b
A Very Compact S-box for AES – CHES2005 – p. 19/26
![Page 33: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/33.jpg)
Optimizations
factoring transformation matricesprior work: greedy algorithmcurrent: full optimization by tree search
common subexpressionsshared factors in invertersbit sums for square&scale
logic gate substitution
XNOR for NOT XORNAND for ANDa NOR b for a XOR b XOR a NAND b
A Very Compact S-box for AES – CHES2005 – p. 19/26
![Page 34: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/34.jpg)
Optimizations
factoring transformation matricesprior work: greedy algorithmcurrent: full optimization by tree search
common subexpressionsshared factors in invertersbit sums for square&scale
logic gate substitutionXNOR for NOT XOR
NAND for ANDa NOR b for a XOR b XOR a NAND b
A Very Compact S-box for AES – CHES2005 – p. 19/26
![Page 35: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/35.jpg)
Optimizations
factoring transformation matricesprior work: greedy algorithmcurrent: full optimization by tree search
common subexpressionsshared factors in invertersbit sums for square&scale
logic gate substitutionXNOR for NOT XORNAND for AND
a NOR b for a XOR b XOR a NAND b
A Very Compact S-box for AES – CHES2005 – p. 19/26
![Page 36: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/36.jpg)
Optimizations
factoring transformation matricesprior work: greedy algorithmcurrent: full optimization by tree search
common subexpressionsshared factors in invertersbit sums for square&scale
logic gate substitutionXNOR for NOT XORNAND for ANDa NOR b for a XOR b XOR a NAND b
A Very Compact S-box for AES – CHES2005 – p. 19/26
![Page 37: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/37.jpg)
Results
A Very Compact S-box for AES – CHES2005 – p. 20/26
![Page 38: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/38.jpg)
Best Case Results
our smallest implementation of: merged S-box & inverse(Satoh architecture, with shared inverter); S-box alone; andinverse S-box alone.
best XOR NAND NOR NOT MUX total gates
merged 94 34 6 2 16 234S-box 80 34 6 0 0 180
(S-box)−1 81 34 6 0 0 182
20% smaller than previous smallest merged S-box ofSatoh, at 294 gates.
same basis that gives smallest merged S-box also givessmallest separate S-box.
A Very Compact S-box for AES – CHES2005 – p. 21/26
![Page 39: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/39.jpg)
Best Case Results
our smallest implementation of: merged S-box & inverse(Satoh architecture, with shared inverter); S-box alone; andinverse S-box alone.
best XOR NAND NOR NOT MUX total gates
merged 94 34 6 2 16 234S-box 80 34 6 0 0 180
(S-box)−1 81 34 6 0 0 182
20% smaller than previous smallest merged S-box ofSatoh, at 294 gates.
same basis that gives smallest merged S-box also givessmallest separate S-box.
A Very Compact S-box for AES – CHES2005 – p. 21/26
![Page 40: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/40.jpg)
Best Case Results
our smallest implementation of: merged S-box & inverse(Satoh architecture, with shared inverter); S-box alone; andinverse S-box alone.
best XOR NAND NOR NOT MUX total gates
merged 94 34 6 2 16 234S-box 80 34 6 0 0 180
(S-box)−1 81 34 6 0 0 182
20% smaller than previous smallest merged S-box ofSatoh, at 294 gates.
same basis that gives smallest merged S-box also givessmallest separate S-box.
A Very Compact S-box for AES – CHES2005 – p. 21/26
![Page 41: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/41.jpg)
Levels of Optimization
Size of GF(28) inverter with increasing levels of optimization:
inverter XOR NAND NOR total gates
hierarchical 88 36 0 190w/ shared oper. 66 36 0 152w/ NOR subst. 56 34 6 138
sharing operations saves 20%.
the NOR substitution saves an additional 9%.
A Very Compact S-box for AES – CHES2005 – p. 22/26
![Page 42: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/42.jpg)
Levels of Optimization
Size of GF(28) inverter with increasing levels of optimization:
inverter XOR NAND NOR total gates
hierarchical 88 36 0 190w/ shared oper. 66 36 0 152w/ NOR subst. 56 34 6 138
sharing operations saves 20%.
the NOR substitution saves an additional 9%.
A Very Compact S-box for AES – CHES2005 – p. 22/26
![Page 43: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/43.jpg)
Choice of Basis
Comparison of four choices of basis: our best case; bestcase of Mentens et al.; basis of Satoh et al.; and our worstcase.
basis merged S-box S-box−1
ours 253 195 195
Mentens 271 204 206
Satoh 275 211 209
worst 293 223 222
worst-basis merged S-box bigger than best by 16%.
A Very Compact S-box for AES – CHES2005 – p. 23/26
![Page 44: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/44.jpg)
Matrix Optimization
Full optimization of matrices often improves upon the greedyalgorithm, but may require much computation.
matrix matrices # improved by matricessize optimized 1 XOR 2 XORs 3 XORs improved
8 × 8 1728 613 138 11 44%
16 × 8 55 24 10 6 73%
A Very Compact S-box for AES – CHES2005 – p. 24/26
![Page 45: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/45.jpg)
Matrix Size Predictors
criteria for comparing matrices before optimization:
number of ones vs. opt. greedy algorithm vs. opt.
10 15
15
20
25
30
35
10 15
10
15
20
comparisons of matrices based on:‘number of ones’ incorrect for 37% of 8 × 8 and 44% of 16 × 8
greedy algorithm incorrect for 20% of 8 × 8 and 31% of 16 × 8
A Very Compact S-box for AES – CHES2005 – p. 25/26
![Page 46: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/46.jpg)
Conclusions
Several improvements allow the merged S-box architectureof Satoh to be reduced in circuitry:
considering other bases for subfields; of 432 cases, bestuses all normal bases
full matrix optimization improves on the greedy algorithm
the NOR substitution gives further improvement
the resulting merged S-box is 20% smaller than that ofSatoh
this smaller size could save chip area in ASICs, or allowmore copies for parallelism and pipelining
A Very Compact S-box for AES – CHES2005 – p. 26/26
![Page 47: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/47.jpg)
Conclusions
Several improvements allow the merged S-box architectureof Satoh to be reduced in circuitry:
considering other bases for subfields; of 432 cases, bestuses all normal bases
full matrix optimization improves on the greedy algorithm
the NOR substitution gives further improvement
the resulting merged S-box is 20% smaller than that ofSatoh
this smaller size could save chip area in ASICs, or allowmore copies for parallelism and pipelining
A Very Compact S-box for AES – CHES2005 – p. 26/26
![Page 48: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/48.jpg)
Conclusions
Several improvements allow the merged S-box architectureof Satoh to be reduced in circuitry:
considering other bases for subfields; of 432 cases, bestuses all normal bases
full matrix optimization improves on the greedy algorithm
the NOR substitution gives further improvement
the resulting merged S-box is 20% smaller than that ofSatoh
this smaller size could save chip area in ASICs, or allowmore copies for parallelism and pipelining
A Very Compact S-box for AES – CHES2005 – p. 26/26
![Page 49: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/49.jpg)
Conclusions
Several improvements allow the merged S-box architectureof Satoh to be reduced in circuitry:
considering other bases for subfields; of 432 cases, bestuses all normal bases
full matrix optimization improves on the greedy algorithm
the NOR substitution gives further improvement
the resulting merged S-box is 20% smaller than that ofSatoh
this smaller size could save chip area in ASICs, or allowmore copies for parallelism and pipelining
A Very Compact S-box for AES – CHES2005 – p. 26/26
![Page 50: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/50.jpg)
Conclusions
Several improvements allow the merged S-box architectureof Satoh to be reduced in circuitry:
considering other bases for subfields; of 432 cases, bestuses all normal bases
full matrix optimization improves on the greedy algorithm
the NOR substitution gives further improvement
the resulting merged S-box is 20% smaller than that ofSatoh
this smaller size could save chip area in ASICs, or allowmore copies for parallelism and pipelining
A Very Compact S-box for AES – CHES2005 – p. 26/26
![Page 51: (Advanced Encryption Standard)€¦ · Advanced Encryption Standard (AES) A Very Compact S-box for AES – CHES2005 – p. 2/26. Algorithm AES is symmetric block cipher from 128-bit](https://reader033.vdocuments.us/reader033/viewer/2022052611/5f081f907e708231d4207463/html5/thumbnails/51.jpg)
Conclusions
Several improvements allow the merged S-box architectureof Satoh to be reduced in circuitry:
considering other bases for subfields; of 432 cases, bestuses all normal bases
full matrix optimization improves on the greedy algorithm
the NOR substitution gives further improvement
the resulting merged S-box is 20% smaller than that ofSatoh
this smaller size could save chip area in ASICs, or allowmore copies for parallelism and pipelining
A Very Compact S-box for AES – CHES2005 – p. 26/26