Yet Another Size Record for AES: A First-Order SCA Secure AES S-Box Based on \(\mathrm {GF}(2^8)\) Multiplication

Abstract

It is well known that Canright’s tower field construction leads to a very small, unprotected AES S-box circuit by recursively embedding Galois Field operations into smaller fields. The current size record for the AES S-box by Boyar, Matthews and Peralta improves the original design with optimal subcomponents, while maintaining the overall tower-field structure. Similarly, all small state-of-the-art first-order SCA-secure AES S-box constructions are based on a tower field structure.

We demonstrate that a smaller first-order secure AES S-box is achievable by representing the field inversion as a multiplication chain of length 4. Based on this representation, we showcase a very compact S-box circuit with only one \(\mathrm {GF}(2^8)\)-multiplier instance. Thereby, we introduce a new high-level representation of the AES S-box and set a new record for the smallest first-order secure implementation.

A ANFs for Linear and Affine Functions in our Design

To enhance the reproducibility of our results, we provide the algebraic normal form for all linear/affine functions used in our design.

ANF of power-map \(x^4\) in \(\mathrm {GF}(2^8)\):

$$\begin{aligned} y_0^4&= x_0 + x_2 + x_3 + x_5 + x_6 + x_7 \\ y_1^4&= x_2 + x_3 + x_4 + x_5 + x_6 \\ y_2^4&= x_4 + x_5 + x_7 \\ y_3^4&= x_2 + x_3 + x_4 \\ y_4^4&= x_1 + x_2 + x_4 + x_5 + x_6 \\ y_5^4&= x_3 + x_6 \\ y_6^4&= x_4 + x_7 \\ y_7^4&= x_3 + x_5 + x_6 + x_7 \end{aligned}$$

ANF of power-map \(x^8\) in \(\mathrm {GF}(2^8)\):

$$\begin{aligned} y_0^8&= x_0 + x_1 + x_3 \\ y_1^8&= x_1 + x_2 + x_3 \\ y_2^8&= x_2 + x_4 + x_5 \\ y_3^8&= x_1 + x_2 + x_6 \\ y_4^8&= x_1 + x_2 + x_3 + x_5 \\ y_5^8&= x_3 + x_4 + x_6 + x_7 \\ y_6^8&= x_2 + x_4 + x_6 \\ y_7^8&= x_3 + x_4 + x_5 + x_6 \\ \end{aligned}$$

ANF of function \(\mathsf {Aff} \circ x^2\) in \(\mathrm {GF}(2^8)\):

$$\begin{aligned} y_0^{2aff}&= 1 + x_0 + x_2 + x_3 + x_6 \\ y_1^{2aff}&= 1 + x_0 + x_3 \\ y_2^{2aff}&= x_0 + x_1 + x_3 + x_6 \\ y_3^{2aff}&= x_0 + x_1 + x_4 + x_7 \\ y_4^{2aff}&= x_0 + x_1 + x_2 + x_6 + x_7 \\ y_5^{2aff}&= 1 + x_1 + x_2 + x_4 + x_5 + x_6 + x_7 \\ y_6^{2aff}&= 1 + x_1 + x_2 + x_3 \\ y_7^{2aff}&= x_2 + x_3 + x_5 + x_6 + x_7 \end{aligned}$$