A Petite and Power Saving Design for the AES S-Box

Wamser, Markus S.; Holzbaur, Lukas; Sigl, Georg

doi:10.1109/dsd.2015.29

Cited by 3 publications

(5 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They apply this algorithm to the AES Sbox and improve upon previous results, most notably the Canright decomposition from [Can05]. Later, several papers improved under various metrics the design of the AES Sbox, for instance [ZWYD15,WHS15,AEBAF14].…”

Section: Previous Workmentioning

confidence: 92%

Optimizing Implementations of Lightweight Building Blocks

Jean

Peyrin

Sim

et al. 2017

ToSC

View full text Add to dashboard Cite

We study the synthesis of small functions used as building blocks in lightweight cryptographic designs in terms of hardware implementations. This phase most notably appears during the ASIC implementation of cryptographic primitives. The quality of this step directly affects the output circuit, and while general tools exist to carry out this task, most of them belong to proprietary software suites and apply heuristics to any size of functions. In this work, we focus on small functions (4- and 8-bit mappings) and look for their optimal implementations on a specific weighted instructions set which allows fine tuning of the technology. We propose a tool named LIGHTER, based on two related algorithms, that produces optimized implementations of small functions. To demonstrate the validity and usefulness of our tool, we applied it to two practical cases: first, linear permutations that define diffusion in most of SPN ciphers; second, non-linear 4-bit permutations that are used in many lightweight block ciphers. For linear permutations, we exhibit several new MDS diffusion matrices lighter than the state-of-the-art, and we also decrease the implementation cost of several already known MDS matrices. As for non-linear permutations, LIGHTER outperforms the area-optimized synthesis of the state-of-the-art academic tool ABC. Smaller circuits can also be reached when ABC and LIGHTER are used jointly.

show abstract

Section: Previous Workmentioning

confidence: 92%

Optimizing Implementations of Lightweight Building Blocks

Jean

Peyrin

Sim

et al. 2017

ToSC

View full text Add to dashboard Cite

show abstract

“…Another line of work in this area [63,64,69] exploits a property of inversion-based S-boxes that any inversion in GF(2 n ) can be implemented by a linear feedback shift register (LFSR). The ASIC-based smallest such construction [63] needs on average 127 clock cycles, i.e.…”

Section: Aes S-boxmentioning

confidence: 99%

“…its latency depends on the given S-box input, hence is vulnerable to timing attacks. The idea has been further developed in [64] leading to 7 clock cycles latency (on average) for one S-box evaluation, which for sure needs more area compared to the original design. The authors also presented a constant-time variant of their design with a latency of 16 clock cycles.…”

Section: Aes S-boxmentioning

confidence: 99%

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

2020

View full text Add to dashboard Cite

The effort in reducing the area of AES implementations has largely been focused on application-specific integrated circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naive implementation of the AES S-box has been the status-quo on field-programmable gate arrays (FPGAs). A similar discrepancy holds for masking schemes-a well-known side-channel analysis countermeasure-which are commonly optimized to achieve minimal area in ASICs. In this paper, we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction in the area footprint on FPGA devices. We present new AES implementations which improve on the state-of-the-art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Güneysu at ASAP 2016. We further explore the protection of such implementations against side-channel attacks. We introduce a generic methodology for masking any n-bit Boolean functions of degree t with protection order d. The methodology is exact for first-order and heuristic for higher orders. Its application to our new construction of the AES S-box allows us to improve previous results and introduce the smallest first-order masked AES implementation on Xilinx FPGAs, to date.

show abstract

“…Another line of work in this area [Wam14,WHS15,WS17] exploits a property of inversion-based S-boxes that any inversion in GF(2 n ) can be implemented by a Linear Feedback Shift Register (LFSR). The ASIC-based smallest such construction [Wam14] needs on average 127 clock cycles, i.e.…”

Section: Introductionmentioning

confidence: 99%

“…its latency depends on the given S-box input, hence is vulnerable to timing attacks. The idea has been further developed in [WHS15] leading to 7 clock cycles latency (on average) for one S-box evaluation, which for sure needs more area compared to the original design. The authors also presented a constant-time variant of their design with a latency of 16 clock cycles.…”

Section: Introductionmentioning

confidence: 99%

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES

Meyer

Moradi

Wegener

2018

TCHES

View full text Add to dashboard Cite

The effort in reducing the area of AES implementations has largely been focused on Application-Specific Integrated Circuits (ASICs) in which a tower field construction leads to a small design of the AES S-box. In contrast, a naïve implementation of the AES S-box has been the status-quo on Field-Programmable Gate Arrays (FPGAs). A similar discrepancy holds for masking schemes – a wellknown side-channel analysis countermeasure – which are commonly optimized to achieve minimal area in ASICs.In this paper we demonstrate a representation of the AES S-box exploiting rotational symmetry which leads to a 50% reduction of the area footprint on FPGA devices. We present new AES implementations which improve on the state of the art and explore various trade-offs between area and latency. For instance, at the cost of increasing 4.5 times the latency, one of our design variants requires 25% less look-up tables (LUTs) than the smallest known AES on Xilinx FPGAs by Sasdrich and Güneysu at ASAP 2016. We further explore the protection of such implementations against first-order side-channel analysis attacks. Targeting the small area footprint on FPGAs, we introduce a heuristic-based algorithm to find a masking of a given function with d + 1 shares. Its application to our new construction of the AES S-box allows us to introduce the smallest masked AES implementation on Xilinx FPGAs, to-date.

show abstract

A Petite and Power Saving Design for the AES S-Box

Cited by 3 publications

References 17 publications

Optimizing Implementations of Lightweight Building Blocks

Optimizing Implementations of Lightweight Building Blocks

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES: Extended Version

Spin Me Right Round Rotational Symmetry for FPGA-Specific AES

Contact Info

Product

Resources

About