Journal of Signal Processing Systems

, Volume 50, Issue 2, pp 251–261 | Cite as

Area, Delay, and Power Characteristics of Standard-Cell Implementations of the AES S-Box

  • Stefan Tillich
  • Martin Feldhofer
  • Thomas Popp
  • Johann GroßschädlEmail author


Cryptographic substitution boxes (S-boxes) are an integral part of modern block ciphers like the Advanced Encryption Standard (AES). There exists a rich literature devoted to the efficient implementation of cryptographic S-boxes, wherein hardware designs for FPGAs and standard cells received particular attention. In this paper we present a comprehensive study of different standard-cell implementations of the AES S-box with respect to timing (i.e. critical path), silicon area, power consumption, and combinations of these cost metrics. We examine implementations which exploit the mathematical properties of the AES S-box, constructions based on hardware look-up tables, and dedicated low-power solutions. Our results show that the timing, area, and power properties of the different S-box realizations can vary by up to almost an order of magnitude. In terms of area and area-delay product, the best choice are implementations which calculate the S-box output. On the other hand, the hardware look-up solutions are characterized by the shortest critical path. The dedicated low-power implementations do not only reduce power consumption by a large degree, but they also show good timing properties and offer the best power-delay and power-area product, respectively.


Advanced Encryption Standard (AES) substitution box (S-box) inversion in the finite field GF($28$) standard cell implementation silicon area critical path delay power consumption 



The authors would like to thank Johannes Wolkerstorfer and David Canright for providing the HDL source code of several AES S-box implementations. The research described in this paper has been supported by the Austrian Science Fund (FWF) under grant P16952–N04, the FIT-IT initiative of the Austrian Federal Ministry of Transport, Innovation, and Technology (project SNAP), and the EPSRC under grant EP/E001556/1. The research described in this paper has also been supported, in part, by the European Commission through the IST Programme under contract IST-2002-507932 ECRYPT. The information in this document reflects only the authors’ views, is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability.


  1. 1.
    Bertoni, G., Macchetti, M., Negri, L., & Fragneto, P. (2004). Power-efficient ASIC synthesis of cryptographic Sboxes. In Proceedings of the 14th ACM Great Lakes Symposium on VLSI (GLSVLSI 2004) (pp. 277–281). ACM Press.Google Scholar
  2. 2.
    Canright, D. (2005). A very compact S-Box for AES. In Cryptographic Hardware and Embedded Systems—CHES 2005, vol. 3659 of Lecture Notes in Computer Science (pp. 441–455). Springer.Google Scholar
  3. 3.
    Chodowiec, P., & Gaj, K. (2003). Very compact FPGA implementation of the AES algorithm. In Cryptographic Hardware and Embedded Systems—CHES 2003, vol. 2779 of Lecture Notes in Computer Science (pp. 319–333). Springer.Google Scholar
  4. 4.
    Daemen, J., & Rijmen, V. (2002). The Design of Rijndael: AES—The Advanced Encryption Standard. Springer.Google Scholar
  5. 5.
    Feldhofer, M., Lemke, K., Oswald, E., Standaert, F.-X., Wollinger, T., & Wolkerstorfer, J. (2005). State of the Art in Hardware Architectures. ECRYPT deliverable D.VAM.2, available for download at, Sept.
  6. 6.
    Feldhofer, M., Wolkerstorfer, J., & Rijmen, V. (2005). AES implementation on a grain of sand. IEE Proceedings Information Security, 152(1), 13–20, Oct.CrossRefGoogle Scholar
  7. 7.
    Hodjat, A., Hwang, D. D., Lai, B.-C ., Tiri, K., & Verbauwhede, I. M. (2005). A 3.84 Gbits/s AES crypto coprocessor with modes of operation in a 0.18-μm CMOS technology. In Proceedings of the 15th ACM Great Lakes Symposium on VLSI (GLSVLSI 2005) (pp. 351–356). ACM Press.Google Scholar
  8. 8.
    Li, H. (2004). A parallel S-box architecture for AES byte substitution. In Proceedings of the 2nd International Conference on Communications, Circuits and Systems (ICCCAS 2004), vol. 1 (pp. 1–3). IEEE.Google Scholar
  9. 9.
    Lidl, R., & Niederreiter, H. (1996). Finite Fields, vol. 20 of Encyclopedia of Mathematics and Its Applications. Cambridge University Press.Google Scholar
  10. 10.
    Macchetti, M., & Bertoni, G. (2003). Hardware implementation of the Rijndael SBOX: A case study. ST Journal of System Research, 0(0), 84–91, July.Google Scholar
  11. 11.
    McLoone, M., & McCanny, J. V. (2001). High performance single-chip FPGA Rijndael algorithm implementations. In Cryptographic Hardware and Embedded Systems—CHES 2001, vol. 2162 of Lecture Notes in Computer Science (pp. 65–76). Springer.Google Scholar
  12. 12.
    Mentens, N., Batina, L., Preneel, B., & Verbauwhede, I. M. (2005). Systematic evaluation of compact hardware implementations for the Rijndael S-box. In Topics in Cryptology—CT-RSA 2005, vol. 3376 of Lecture Notes in Computer Science (pp. 323–333). Springer.Google Scholar
  13. 13.
    Morioka, S., & Satoh, A. (2002). An optimized S-Box circuit architecture for low power AES design. In Cryptographic Hardware and Embedded Systems–CHES 2002, vol. 2523 of Lecture Notes in Computer Science (pp. 172–186). Springer.Google Scholar
  14. 14.
    National Institute of Standards and Technology (NIST) (1999). Data Encryption Standard (DES). Federal Information Processing Standards (FIPS) Publication 46-3, Oct.Google Scholar
  15. 15.
    National Institute of Standards and Technology (NIST) (2001). Advanced Encryption Standard (AES). Federal Information Processing Standards (FIPS) Publication 197, Nov.Google Scholar
  16. 16.
    Pramstaller, N., & Wolkerstorfer, J. (2004). A universal and efficient AES co-processor for field programmable logic arrays. In Field Programmable Logic and Application—FPL 2004, vol. 3203 of Lecture Notes in Computer Science (pp. 565–574). Springer.Google Scholar
  17. 17.
    Satoh, A., Morioka, S., Takano, K., & Munetoh, S. (2001). A compact Rijndael hardware architecture with S-Box optimization. In Advances in Cryptology—ASIACRYPT 2001, vol. 2248 of Lecture Notes in Computer Science (pp. 239–254). Springer.Google Scholar
  18. 18.
    Tillich, S., Feldhofer, M., & Großschädl, J. (2006). Area, delay, and power characteristics of standard-cell implementations of the AES S-box. In Embedded Computer Systems: Architectures, Modeling, and Simulation—SAMOS 2006, vol. 4017 of Lecture Notes in Computer Science (pp. 457–466). Springer.Google Scholar
  19. 19.
    Tillich, S., & Großschädl, J. (2006). Instruction set extensions for efficient AES implementation on 32-bit processors. In Cryptographic Hardware and Embedded Systems—CHES 2006, vol. 4249 of Lecture Notes in Computer Science (pp. 270–284). Springer.Google Scholar
  20. 20.
    Wolkerstorfer, J., Oswald, E., & Lamberger, M. (2002). An ASIC implementation of the AES SBoxes. In Topics in Cryptology—CT-RSA 2002, vol. 2271 of Lecture Notes in Computer Science (pp. 67–78). Springer.Google Scholar
  21. 21.
    Zhang, X., & Parhi, K. K. (2004). High-speed VLSI architectures for the AES algorithm. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 12(9), 957–967, Sept.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • Stefan Tillich
    • 1
  • Martin Feldhofer
    • 1
  • Thomas Popp
    • 1
  • Johann Großschädl
    • 2
    Email author
  1. 1.Institute for Applied Information Processing and CommunicationsGraz University of TechnologyGrazAustria
  2. 2.Department of Computer ScienceUniversity of BristolBristolUK

Personalised recommendations