Design of S-box and INV S-box using Composite Field Arithmetic for AES Algorithm

Download Full-Text PDF Cite this Publication

Text Only Version

Design of S-box and INV S-box using Composite Field Arithmetic for AES Algorithm

Sushma D K

Department of Electronics and Communication The Oxford College of Engineering

Bangalore, India

Dr. Manju Devi

Department of Electronics and Communication The Oxford College of Engineering

Bangalore, India

Abstract The efficient implementation of combined ByteSub and InvByteSub transformation for encryption and decryption in advanced encryption standard (AES) architecture using the composite field arithmetic in finite fields GF (256) or GF (28) hence this approach is more advantages than the conventional LUT method that incurs unbreakable delay, large amount of memory and area. The proposed architecture which is combined implementing of S-box and InvS-box makes use of an enable pin to perform encryption and decryption in AES. The architecture uses combinational logic, as both S-box and InvS-box are implemented on same hardware reduces the area and gate count by large amount. The power consumption is reduced by resource sharing of multiplicative inverse module of proposed system. The proposed architecture is implemented on Spatan6 FPGA board using Verilog HDL in Xilinx ISE 14.6.

Keywords Composite field arithmetic, AES, Galois field, look-up table, FPGA


    Cryptographic development in recent years has been a challenging and high priority research area in both fields of mathematics and engineering. Due to advancement in embedded system and need of encryption in it has made encryption more resource constraint in terms of power, area and delay. Advanced Encryption Standard (AES) was adopted as the standard for encryption and decryption by National Institute of Standards. AES uses larger key sizes (128, 192 and 256bits) hence provides higher security than any other encryption technique. Encryption algorithms are mainly of two types one is private key or symmetric key and the other is public key. Private key algorithms uses only one key, for both encryption and decryption whereas, public key algorithms involve two different keys, for encryption and decryption [1].Symmetric key cryptography is one of the main subjects in cryptography where a key of a certain size will shared for the encryption and decryption processes.. Computation of mathematical inversion in finite field arithmetic by Sub-Byte transformation consumes the most of the resource. The AES algorithm is used in different application fields like Radio Frequency Identification (RFID) tags, World Wide Web (WWW) servers, Automated Teller Machines (ATMs), smart cards, cellular phones, digital video and sensor nodes. AES can be implemented in both hardware and software. The four important operations in AES algorithm are S-Box, inverse S-Box, MixColumn and InverseMixColumn steps in these are computationally more involved than addroundkey and shift row operations. The designs, which do not use ROMs or big lookup tables,

    implementations for S-Box and inverse S-Box have been popular of late for in VLSI or FPGA implementations.

    Byte Substitution and Inverse Byte Substitution transformation is non-linear transformation that maps each byte of the state that is 128 bits to different value using the substitution tables for S-box and InvS-box. It can be implemented by using memory method and memory-less method. In memory method, ROM based LUT (Look-up table) is used to compute the S-box that utilizes more memory, which increases area, power of AES and thus disadvantage of this is unbreakable delay and latency because of finite time of the architecture. In memory-less method, implementation of S-Box using LUT and SOP approach is fast but effective in cost.

    The structure of this paper is as follows. The construction of ByteSub and InvByteSub transformations is explained in section II. The Composite arithmetic operations is explained in section III. Hardware implementation of the proposed architecture is described in section IV


    The ByteSub& InvByteSub transformation are calculated by the application of the multiplicative inverse to the plain text in GF (28) and then affine transformation is applied to it. For decryption, the InvByteSub transformation is calculated by the application of the inverse affine transformation to cipher text before applying the multiplicative inverse [6]. The multiplicative inverse operation is involved in both the ByteSub and its inverse transformations.

    Fig 1: Combined ByteSub and invByteSub transformation

    Here Aff block represents affine transform, Aff-1 represents inverse affine transform, the EN/DN will act as selection line of s-box and InvS-box, and Mul_inv block represents multiplication inverse in GF(28) .Implementing the architecture of S-Box (and its inverse) using combinational logic has an advantage of small area occupancy and on using pipelined structure and also increases the clock frequency.

    1. Affine and inverse affine transform

      The Affine and Affine-1 are the Affine Transformation and its inverse while the vector is the multiplicative inverse of the input byte from the state array. From here, it is observed that both the SubByte and the InvSubByte transformation involve a multiplicative inversion operation. Thus, both transformations may actually share the same multiplicative inversion module in a combined architecture. Switching between SubByte and InvSubByte is just a matter of changing the value of EN/DN. EN is set to 0 for SubByte while 1 is set when InvSubByte operation is desired.

      The SubBytes is a nonlinear transformation, which computes the multiplicative inverse of each byte of the State in followed by an affine transformation. The SubBytes can be described by (1)

      Where = {10}2 & = {1100}2. To represent an element of finite field GF(28) in its composite field, an isomorphic mapping function is used and after applying the multiplicative inverse for output of isomorphic function, again to convert the result into finite field GF(28), an inverse isomorphic mapping function is used. The 8 × 8 binary matrices of isomorphic () and its inverse (-1) functions can be decided by the irreducible Polynomial p(x) = x8 + x4 + x3

      + x +1 of the finite field GF (28) and by the irreducible polynomials of its composite fields which are mentioned in (3). Let a be an element (can represent in column matrix of order 8×1) in GF (28), then the isomorphic mapping can be written as a matrix multiplication, ×a and its inverse as another matrix multiplication -1×a, as shown in (4) and (5).

      = (1)

      Were Si,j(0<i,j<4) is considered a element of GF(28) M is 8×8 binary matrix and c is a 8 bit binary vector with only 4 nonzero bits. The transformations in the decryption process perform the inverse of the corresponding transformations in the encryption process. Specifically, the InvSubByte performs the following operation on each byte of the State by (2)


      Where S and S are input and output bytes in 8-D vector formats.

    2. Multiplicative inverse module:

      This multiplicative inverse module is a complex operation, such that it is divided which is the major operation in both the ByteSub and in inverse ByteSub transformation. It takes more than 630 gates to implement it with repetitive multiplications in GF (28). So, to reduce the gate count in large amount, composite field arithmetic is used.

      Fig 2: Multiplicative inverse module for AES algorithm

      1. Isomorphic mapping function and its inverse

        Composite field is denoted as GF((2n)m) , this is Isomorhic to the finite field GF(2k), for k = nm. The composite field GF(28) can be formed iteratively from lower order fields like GF(2) using the irreducible polynomials which are mentioned in (5)


      2. Multiplicative inversion in GF(28):

    In the composite field GF(28) , an element can be expressed as bx + c, where b, c in GF(24) are first and second nibbles of the byte and x is a root of irreducible polynomial P2(x) in eq(3). The multiplicative inverse of bx + c modulo P2(x) can be computed by using Extended Euclidean algorithm [2] [5] as shown in (6).


    From the above equation implies that there are multiply, addition, squaring and multiplication inversion in GF(24) operations in Galois Field.


    Any arbitrary polynomial can be represented by bx + c where b is upper half term and c is the lower half term. Therefore, from here, a binary number in Galois Field q can be spilt to qH x + qL for instance, if q = {1011}2, it can be represented as {10}2x + {11}2, where qH is {10}2 and qL is

    {11}2. The decomposing is done by making use of the irreducible polynomials introduced at (3). Using this idea, the

    logical equations for the addition, squaring, multiplication and inversion can be derived.

    1. Addition in GF(24):

      Addition of 2 elements in Galois Field can be translated to simple bitwise XOR operation between the 2 elements.

    2. Squaring in GF(24):

      Let q is an element in GF(24) which can written as qH x + qL and this can be split, let k is another element in GF(24) which is equal to square of q as given in equation.


      kH x+ kL = (qHx+qL)2 = qH2x2+q 2 (7)

      The x2 term can be modulo reduced using the irreducible polynomial from (3). By setting x2 = x + , doing so yields the new expressions below.


      The hardware logic diagram to the above equations is shown below in fig:3.

      Fig3: Hardware logic diagram of square in GF(24)

    3. Multiplication with constant

      Let q and k are the 4bit elements of GF(24) and let k=q, where ={1100}2 hence neglect lower L and the equation given by

      k = qH H x2 +qL H x (9)

      Modulo reduction can be performed by substituting x2 = x + using the irreducible polynomial in (3) to yield the expression below


      Fig 4: Hardware logic diagram of multiplication with constant

    4. Multiplication with constant in GF(22):

      Let k = q, where k = {k1 k0}2, q = {q1q0}2 and = {10}2 are elements of GF (22).

      k= (q1 x +q0) x= q1x2+q0 (11)

      Substitute the x2 term with x2 = x + 1, yield the expression below

      k=q1(x+1) + q0x= (q1+q0)x+q1 (12)

      The formula obtained to compute its multiplications with constant operation in GF(22) is



      Fig 5: Hardware logic diagram of multiplication with constant

    5. Multiplication inversion in GF(24):

    1 0

    The composite field decomposition approach is used to compute the multiplicative inverse of q (where q is an element of GF (24)) such that q-1 = {q3 -1,q2 -1,q -1,q -1}. Hence reduces the gate count and shortest path delay. The inverses of the individual bits can be computed from the equation below



The analytical validation of the combined S-box and InvS- box for AES is accoutrement and verified using the Spartan 6 (xc6slx2tqg144) FPGA board using Verilog HDL in Xilinx

    1. tool. The proposed module is initiated and implemented in the main module as combined implementation of s-box and InvS-box by using an enable pin to select SubByte and InvSubByte transformation for AES algorithm. The architecture is appliance using two 2:1 multiplexer as shown in fig.1and the design consists of implementing modules such as isomorphic function and Invs-isomorphic function, squaring unit, inversion unit and affine transformation. Thus, the architecture utilizes 77 slice of LUTs and the reduction in area by 50% and decrease in gate count when compared with previous LUT methods for S-box and low power consumption. The number of gates and mux used are tabulated below in table 1.

      Table1: synthesis report


      2:1 Multiplexer


      Number of XOR gates


      Slice LUTs


      Delay (ns)


      The simulation results of the proposed architecture using Xilinx ISE14.6 is shown below figures. The SubByte and InvSubByte transformations are formed using the multiplicative inverse module, mux and affine transformations by using an enable pin to select either encryption or decryption based on the selection for the AES algorithm.

      Fig6: Simulation result of SubByte transformations when enable pin EN=1

      Fig7: Simulation result of InvSubByte transformations when enable pin EN=0

      Fig8: Simulation result of combined SubByte &InvSubByte transformations

      The power consumption of this proposed architecture of combined s-box and InvS-box for SubByte and InvSubByte of AES algorithm is 0.014w for an input of 128 bits and the frequency of operation is about 60MHz.


      For the efficient implementation of proposed architecture of the SubBytes/InvSubByte is implemented by combinational logic to avoid the unbreakable delay of LUTs in the analytical designs. Further, composite field arithmetic and finite fields is used to reduce the hardware complexity and also uses different approaches to implement inversion in subfield GF(24) are compared. The architecture is implemented on Spartan6 FPGA board using Verilog HDL code by making use of enable pin to select s-box/ Invs-box during the operation. The overall delay caused by the logic is 19.8ns and consumes very less power of 14mW and occupies very less area and memory because of resource sharing in multiplicative inversion module.


      We acknowledge to department of electronics and communication for providing the lab resources.


      1. Edwin NC Mui, "Practical Implementation of Rijndael S-Box Usingcombinational Logic", Custom R&D Engineer Texco Enterprise

      2. Xinmiao Zhang and Keshab K. Parhi, High-Speed VLSI Architectures for the AES Algorithm., IEEE Transactions on Very Large Scale Integration(VLSI) Systems, Vol.12, No. 9, September 2004.

      3. P.V.S.ShastI, Anuja Agnihotri, Divya Kachhwaha, Jayasmita Singh and Dr.M.S.Sutaone, A Combinational Logic implementation of S- box of AES, 54th International Midwest Symposium on Circuit and Systems, 2011.

      4. K. Jarvinen, M. Tommiska, and J. Skytta, Comparative survey of high performance cryptographic algorithm implementations on FPGAs, IEEE Proceedings Information Security, vol. 152, no. 1, pp. 312, Oct 2005.

      5. K. Shesha Shayee, J. Park, and P. Diniz, Performance and area modeling of complete FPGA designs in the presence of loop transformations, in 11th Annual IEEE Symposium on field- Programmable Custom Computing Machines, 2003, FCCM 2003, April 2003.

      6. Bhoopal Rao Gangadari and Shaik Rafi Ahamed, FPGA Implementation of Compact S-Box for AES algorithm using Composite field arithmetic.

      7. X. Zhang and K. Parhi, High-speed VLSI architectures for the AES algorithm, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 12, no. 9, pp. 957967, Sept 2004.

      8. L. Ali, I. Aris, F. S. Hossain, and N. Roy, Design of an ultra-high speed {AES} processor for next generation {IT} security , Computers & Electrical Engineering, vol. 37, no. 6, pp. 1160 1170, 2011.

      9. J. M. Granado-Criado and M. A. Vegaz, A new methodology to Implement the AES algorithm using partial and dynamic reconfiguration, The {VLSI} Journal on Integration,vol. 43, no. 1, pp. 72 80, 2010.

      10. Vincent Rijmen, Efficient Implementation of the Rijndael S-Box., Katholieke Universities Leuven, Dept. ESAT. Belgium.

      11. Akashi Satoh, Sumio Morioka, Kohji Takano and Seiji Munetoh, A Compact Rijndael Hardware Architecture with S-Box Optimization. Springer-Verilog Berlin Heidelberg, 2001.

      12. S.SrideviSathya Priya, N.M.SivaMangai Multiplexer based High Throughput S-box for AES Application Karunya University, ICECS 2015

      13. Advanced Encryption Standard (AES) Federal Information Processing Standards Publication 197, 26th November 2001.

Leave a Reply

Your email address will not be published. Required fields are marked *