LIANG Hao,WU Li-ji,ZHANG Xiang-min

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2015.05.004

2015-01-01

Abstract:In this paper, a new method based on composite field is proposed. Through isomorphism bit matrices, the calculation by changing finite field inversion from GF(28) to GF(((22)2)2) is simplified to reduce the computational difficulty and a more compact S-box is realized. The area decreases by 27% than Look-up Table. On the basis of that, the SM4 algorithm is implemented. The area of this IP core is only 7 612 gates synthesized under the smic0.13 μmCMOS process. Therefore this improved design is very helpful for area-limited condition such as IC cards.

Rithambara Shivraj Singh Rajput,Sujata Nandeshwar Patil

DOI: https://doi.org/10.4018/ijec.296684

2022-01-01

Abstract:The Substitution-BOX is the most difficult architecture and is at the heart of any Advanced Encryption Standard algorithm implementation. It is the most complicated non-linear architecture using multiplicative inverse. It consumes maximum amount of the energy and power budget of the algorithm. This paper introduces a full-custom CMOS implementation of Multiplicative Inverse module for Substitution/ Inverse Substitution transformation in composite field arithmetic using Galois field GF (28). The multiplicative inversion module utilizes large number of XOR gates in its implementation. This paper introduces implementation of a novel XOR gate using six transistors. Using this six transistor XOR gate, the multiplicative inverse module is implemented in 90 nm CMOS technology. Simulation of the proposed design is achieved using Tanner EDA v.16 software. The area of the multiplicative inverse circuit is 39.92 μm2 requiring 776 transistors. With 0.6 Volts supply voltage, the design shows a power dissipation of 2.386 μWatts making it ideal for applications such as smart cards and RFID tags.

Xiangyu Li,Pengyuan Jiao,Chaoqun Yang

DOI: https://doi.org/10.1088/1674-4926/42/3/032402

2021-01-01

Abstract:A side-channel attack (SCA)-resistant AES S-box implementation is proposed, which is an improvement from the power-aware hiding (PAH) S-box but with higher security and a smaller area. We use the composite field approach and apply the PAH method to the inversion in the nonlinear kernel and a masking method to the other parts. In addition, a delay-matched enable control technique is used to suppress glitches in the masked parts. The evaluation results show that its area is contracted to 63.3% of the full PAH S-box, and its power-delay product is much lower than that of the masking implementation. The leakage assessment using simulation power traces concludes that it has no detectable leakage under t-test and that it at least can thwart the moment-correlation analysis using 665 000 noiseless traces.

Xiao-cao QIN,Shu-guo LI

2014-01-01

Abstract:S-Box substitution and inverse S-Box substitution are the major bottleneck for AES algorithm ,which directly affect the speed of AES chip .On the basis of optimizing Q-M simplifying method ,this paper proposes an expression method to implement the S-Box substitution and inverse S-Box substitution in AES algorithm .Compared with the widespread use of the look-up-table method ,the expression method can reduce the delay ,area and power of circuit by 8 .5% ,27 .4% and 17% respectively .

Jiang Jiuxing,Zhao Yuying,Huang Hai,Xie Guanghui,Hou Jiao,Feng Xinxin

DOI: https://doi.org/10.11999/jeit190257

2020-01-01

Abstract:Based on the in-depth research on the S-box constitution arithmetic of composite, an area optimized generic low-entropy higher-order masking scheme is proposed in this paper. The low entropy masking method is introduced on GF(2(4)), and the partial module reusing design is adopted, which reduces effectively the number of multiplications based on the S-box inversion operation of the composite. The algorithm can be applied to any order masking scheme of arbitrary S-box composed of inversion operation. This scheme is applied to AES, gives detailed simulation results and optimizes the layout area, compared with the traditional masking scheme, reduces effectively the use of logical resources. In addition, the security is theoretically proved.

Hao Liang,Liji Wu,Xiangmin Zhang,Jiabin Wang

DOI: https://doi.org/10.1109/cis.2014.59

2014-01-01

Abstract:This paper propose a new masking scheme for SM4 s-box based on composite field. Through isomorphism bit matrices, we simplify the calculation by changing finite field inversion from GF(28) toGF(((22)2)2) to reduce the computational difficulty. We carefully modify the inversion to ensure every intermediate value is masked during the process. The theoretical analysis and simulated CPA proves the effectiveness of this method. Thus our method can eliminate the need to pre-compute the s-box every time when the mask is updated, as a result, saves a lot of time and storage room. This method is suitable for implementations with limited resources such as smart cards.

Xiaoqiang Zhang,Xinggan Zhang,Lan Tang,Xinxing Zheng,Tianming Ni,Ning Wu

DOI: https://doi.org/10.1587/elex.17.20200035

2020-01-01

IEICE Electronics Express

Abstract:In this paper, a low critical path delay (CPD) circuit structure is proposed for composite field S-box circuit. In the low CPD structure, multiplicative inverse over GF(2(4)) and multiplicative over GF(2(4)) are constructed by AND-XOR-networks. The XOR-networks in the last two multiplications over GF(2(4)) are further merged with the following constant matrix multiplication operation to shorten the CPD. Finally, hardware complexities of our designs are compared with previous works. The comparisons indicate that our proposed method is effective. Our design of S-box/InvS-box based on the proposed method has lower CPD.

Hailiang Fu,Guoqiang Bai,Xingjun Wu

DOI: https://doi.org/10.1109/ITNEC.2016.7560361

2016-01-01

Abstract:This paper presents an iterative encryption architecture of SM4 arithmetic in combinational logic. Previous works using Lookup Tables to implement the Sbox function have relied on circuits with a large area. Using the Normal Basis in the Composite Field, the proposed design reduces the circuits' area. We test all feasible sets of Normal Basis and finally find 8 sets for correct encryption of SM4. Through the simulation in Modelsim, the proposed architecture achieves the right result within 32 rounds. Compared with the other designs, our design uses less hardware and has a big advantage in resource constrained applications.

Juhua Liu,Wei Lie,Guoqiang Bai

DOI: https://doi.org/10.1109/cstic.2018.8369335

2018-01-01

Abstract:Recently, the need for designing block ciphers targeting on resource constrained device has been repeatedly expressed by professionals. Currently, Roadrunner is one of the most software efficient lightweight ciphers. Its security is provable against linear and differential attacks. In this paper, we design a novel S-Box layer, in order to improve the performance for hardware implementation. Furthermore, the new S-Box layer has eight different 4-bit S-Boxes, which are decomposable. We decompose each 4-bit S-Box by exploiting affine transformations and a single shared quadratic permutation. After being decomposed, these eight 4-bit S-boxes can be merged into one component, sharing the same quadratic permutation. In this way, we can save the area consumption by 51%, compared to the traditional implementation of old S-box layer by using look up tables (LUTs).

Xiaoqiang Zhang,Lan Tang,Xinggan Zhang,Xinxing Zheng,Mingyu Xu,Fan Yang

DOI: https://doi.org/10.1587/elex.19.20220154

2022-01-01

IEICE Electronics Express

Abstract:In this paper, a low delay circuit structure is proposed for composite field S-box circuit. In the low delay structure, the multiplications over GF((2(2))(2)) are constructed by XOR-AND-XOR-networks, and the multiplicative inverse over GF((2(2))(2)) are constructed by AND-XOR-networks. As XOR-networks are linear operations, they can be further expressed as constant matrix multiplications. In this paper, the adjacent matrix multiplications in S-box are merged to reduce the delay. Compared with previous works, our S-box implementations have lower delay.

XU Yan-hua,BAI Xue-fei,GUO Li

2009-01-01

Journal of University of Science and Technology of China

Abstract:In order to solve the problem of the implementation algorithm of S-box based on the inversion transformation over Galois field,methods such as composite field computation,altering calculation order and sharing factors have been used to optimize operations.A low hardware overhead implementation algorithm of S-box based on the inversion transformation approach from GF(28) to GF(22) was presented.Compared with the implementations based on look-up table method,this algorithm can reduce circuit area by 34%~68% using 0.18 μm and 0.35 μm CMOS technology.This design method can make SMS4 algorithm more suitable for area-critical devices.

Mohammad Mazyad Hazzazi,Amer Aljaedi,Zaid Bassfar,Misbah Rani,Tariq Shah

DOI: https://doi.org/10.3934/math.2024537

2024-01-01

AIMS Mathematics

Abstract:This research paper is supplemented with a unique formation to design state-of-the-art S-boxes. The invented approach is simple but has the capability of creating confusion in our newly proposed algorithm. Our core planned work refined the method of already designed S-boxes to accomplish more compact ones. Various structures were merged here, namely affine transformation, fractional linear transformation, structure of Klein four-group, and the algebraic structures of the Galois fields, $ GF\left({2}^{4}\right) $ and $ GF\left({2}^{8}\right). $ These structures were utilized to synthesize newly $ 1600 $ robust S-boxes. Besides, we discussed encryption steps of AES with these newly generated S-boxes. We highlighted some specific characteristics, performance of parameter's improvement, and their utilization. Nonlinear properties were mainly set to inspect the behavior of I/O bits and could apply image encryption. Then, the performance of proposed S-boxes and newly structured AES was tested in comparison with other prevailing S-boxes.

mathematics, applied

Chaoqun Yang,Xiangyu Li,Shujuan Yin

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2018.00217

2018-01-01

Abstract:Power-Aware Hiding (PAH) has been proposed as a kind of energy-efficient Side Channel Attacks (SCA) countermeasure for S-boxes. However, it has large area overhead. In this paper, an improved SCA-resistant AES S-box implementation, which is based on PAH technique but has smaller area, is proposed. It implements the S-Box in the masked composited field approach but applies the PAH method to the inversion in GF(2^4). Evaluation result shows that its area is shrunken to 47.7% of the full PAH S-box, and that its power-delay product is about 81% lower than that of the traditional masking implementation. Simulation shows that the PAH inverteru0027s power difference is smaller than the other candidates, including the PAH S-box. It is secure under moment-correlating power analysis with 70,000 noiseless power traces at least.

Hailiang Fu,Guoqiang Bai,Xingjun Wu

DOI: https://doi.org/10.1007/978-3-319-59608-2_39

2016-01-01

Abstract:Implementations of the SM4 algorithm, including different hardware applications with limited resources, are vulnerable to Side-Channel Attacks. This paper presents a countermeasure against such attacks by adding a random “mask” to the input plaintext and protect all variables through the whole encryption process. As is known to all, the unique nonlinear step in each round of SM4 algorithm is the “S-Box” and the previous works using lookup-table method to implement the S-Box always incur large area and high power. Here we give the compact design of masked S-Box using the normal basis in the composite field (consisting of a Galois inversion and several affine transformations). Then we compute the different masks diffused to all the steps in the SM4 algorithm process. The proposed design results in ultra-low cost of hardware and capability to resist first-order differential power analysis (DPA), which is suitable for the resource constrained devices. The synthesis result of masked S-Box shows that the area under the SMIC 0.13 (upmu )m is only about 978-gates, 46.8% fewer than the other works. Further, we apply the pipeline technique to our proposed “masked S-Box”, thereby to the whole masked SM4 algorithm. The results of FPGA implementation present that our works have achieved an ultra-high speed with frequency nearly 551 MHz and the throughput over 70 Gbps.

Xincheng Hu,Xiao Zeng,Zhaoqiang Liu,Guowu Yang

2024-11-19

Abstract:We investigate the affine equivalence (AE) problem of S-boxes. Given two S-boxes denoted as $S_1$ and $S_2$, we aim to seek two invertible AE transformations $A,B$ such that $S_1\circ A = B\circ S_2$ holds. Due to important applications in the analysis and design of block ciphers, the investigation of AE algorithms has performed growing significance. In this paper, we propose zeroization on S-box firstly, and the AE problem can be transformed into $2^n$ linear equivalence problems by this zeroization operation. Secondly, we propose standard orthogonal spatial matrix (SOSM), and the rank of the SOSM is invariant under AE transformations. Finally, based on the zeroization operation and the SOSM method, we propose a depth first search (DFS) method for determining AE of S-boxes, named the AE\_SOSM\_DFS algorithm. Using this matrix invariant, we optimize the temporal complexity of the algorithm to approximately $\frac{1}{2^n}$ of the complexity without SOSM. Specifically, the complexity of our algorithm is $O(2^{3n})$. In addition, we also conducted experiments with non-invertible S-boxes, and the performance is similar to that of invertible S-boxes. Moreover, our proposed algorithm can effectively handle S-boxes with low algebraic degree or certain popular S-boxes such as namely AES and ARIA\_s2, which are difficult to be handled by the algorithm proposed by Dinur (2018). Using our algorithm, it only takes 5.5 seconds to find out that the seven popular S-boxes namely AES, ARIA\_s2, Camellia, Chiasmus, DBlock, SEED\_S0, and SMS4 are affine equivalent and the AE transformations of these S-boxes are provided.

Cryptography and Security,Data Structures and Algorithms

Xiaoqiang Zhang,Fan Yang,Xinxing Zheng,Xinggan Zhang,Ning Wu

DOI: https://doi.org/10.1587/elex.17.20200391

2020-01-01

IEICE Electronics Express

Abstract:Among Advanced Encryption Standard (AES) operations, MixColumns/InvMixColumns is the second most computationally complex operation after S-box. It occupies a large hardware resources and critical path delay (CPD) in AES hardware implementations. To reduce the hardware complexity of the MixColumns/InvMixColumns, a whole matrix joint optimization method is proposed in this paper. All coefficient multiplications in MixColumns/InvMixColumns are combined into a single matrix multiplication in the proposed method, and larger number of common subexpressions can be shared in the combined matrix. Therefore, the area can be drastically reduced in implementations. The validity of our whole matrix joint optimization is verified by theoretical analyses and synthesis tools. Both analyses results and synthesized results indicate that, compared with column joint optimization and row joint optimization, the optimization efficiency is improved greatly in the whole matrix joint optimization. Compared with previous works, our implementations have wider area-delay tradeoff, from less delay to minimal area cost.

Mengyuan Zhang,Tairong Shi,Wenling Wu,Han Sui

DOI: https://doi.org/10.1109/tc.2024.3449094

IF: 3.183

2024-10-12

IEEE Transactions on Computers

Abstract:In the post-quantum era, the security level of encryption algorithms is often evaluated based on the quantum resources required to attack AES. In this work, we make thoroughly estimations on various performance metrics of the quantum circuit of AES-128/192/256. Firstly, we introduce a generic round structure for in-place implementation of the AES algorithm, maximizing the parallelism between nonlinear components. Specifically, when employed as an encryption oracle, our structure reduces the T-depth from 2rd to (r+1)d. Furthermore, by leveraging the properties of block-cyclic matrices, we present an in-place implementation circuit for MixColumn with depth 10, utilizing 105 CNOT gates. In relation to the S-box, we have assessed its minimum circuit width at different T-depths and provide multiple versions of circuit implementations for a depth-width trade-off. Finally, based on our optimized S-box circuit, we conduct a comprehensive analysis of the implementation complexity of different round structures, where our structure exhibits significant advantages in terms of low T-depth.

engineering, electrical & electronic,computer science, hardware & architecture

Qihuan Huang,Leibo Liu,Hai Huang,Shaojun Wei

DOI: https://doi.org/10.1109/iccsn.2017.8230286

2017-01-01

Abstract:Due to low masking-complexity property of the addition chain, it has been widely researched for evaluating the S-boxes in the recent literatures. This paper summarizes four main addition chains developed for the AES S-box in the existing literatures and chooses the most area-efficient addition chain. To further reduce the masking complexity, this paper proposes an improved algorithm for evaluating the polynomial modular multiplication. Based on the proposed algorithm, the non-linear multiplier, the square multiplier and the constant multiplier are developed separately to implement four different addition chains. To evaluate the performance, these addition chains are modeled with the Verilog, synthesized with the Synopsys Design Compiler and compared with each other. The comparison results show that the addition chain with less non-linear multipliers and square multipliers has less area. According to the comparison results, this paper chooses the most area-efficient addition chain to implements the whole AES. The research in this paper lays the foundation for the high-efficient higher-order masking scheme of the block cipher algorithm.

Wei Wei,Cui Xiaoxin,Wu Di,Li Rui,Ma Kaisheng,Yu Dunshan,Cui Xiaole

DOI: https://doi.org/10.1109/icsict.2012.6466685

2012-01-01

Abstract:A masking scheme of AES algorithm is analyzed, and the optimal masked S-box is implemented in this paper. By using the "tower field" representation, all nonlinear process of unmasked S-box is mapped to multiplication in GF(2), which is a single AND gate in circuits, and power consumption is hidden by using additive masked. In order to further reduce the hardware cost, a simplified masked AND gate is adopted and masks are reused safely. Both gate-level simulation and FPGA testing result have proved that our implementation provides good resistance against DPA attack.

Shize Guo,Xinjie Zhao,Fan Zhang,Tao Wang,Zhijie Jerry Shi,Francois-Xavier Standaert,Chujiao Ma

DOI: https://doi.org/10.1109/tifs.2014.2315534

IF: 7.231

2014-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Algebraic side-channel attack (ASCA) is a typical technique that relies on a general solver to solve the equations of a cipher and its side-channel leaks. It falls under analytical side-channel attack and can recover the entire key at once. Many ASCAs are proposed against the AES, and they utilize the Grobner basis-based, SAT-based, or optimizer-based solver. The advantage of the general solver approach is its generic feature, which can be easily applied to different cryptographic algorithms. The disadvantage is that it is difficult to take into account the specialized properties of the targeted cryptographic algorithms. The results vary depending on what type of solver is used, and the time complexity is quite high when considering the error-tolerant attack scenarios. Thus, we were motivated to find a new approach that would lessen the influence of the general solver and reduce the time complexity of ASCA. This paper proposes a new analytical side-channel attack on AES by exploiting the incomplete diffusion feature in one AES round. We named our technique incomplete diffusion analytical side-channel analysis (IDASCA). Different from previous ASCAs, IDASCA adopts a specialized approach to recover the secret key of AES instead of the general solver. Extensive attacks are performed against the software implementation of AES on an 8-bit microcontroller. Experimental results show that: 1) IDASCA can exploit the side-channel leaks in all AES rounds using a single power trace; 2) it has less time complexity and more robustness than previous ASCAs, especially when considering the error-tolerant attack scenarios; and 3) it can calculate the reduced key search space of AES for the given amount of side-channel leaks. IDASCA can also interpret the mechanism behind previous ASCAs on AES from a quantitative perspective, such as why ASCA can work under unknown plaintext/ciphertext scenarios and what are the extreme cases in ASCAs.