Compact and Secure Design of Masked AES S-Box

  • Babak Zakeri
  • Mahmoud Salmasizadeh
  • Amir Moradi
  • Mahmoud Tabandeh
  • Mohammad T. Manzuri Shalmani
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4861)


Composite field arithmetic is known as an alternative method for lookup tables in implementation of S-box block of AES algorithm. The idea is to breakdown the computations to lower order fields and compute the inverse there. Recently this idea have been used both for reducing the area in implementation of S-boxes and masking implementations of AES algorithm. The most compact design using this technique is presented by Canright using only 92 gates for an S-box block. In another approach, IAIK laboratory has presented a masked implementation of AES algorithm with higher security comparing common masking methods using Composite field arithmetic. Our work in this paper is to use basic ideas of the two approaches above to get a compact masked S-box. We shall use the idea of masking inversion of IAIK’s masked S-box but we will rewrite the equations using normal basis. We arrange the terms in these equations in a way that the optimized functions in Canright’s compact S-box can be used for our design. An implementation of IAIK’s masked S-box is also presented using Canright’s polynomial functions to have a fair comparison between our design and IAIK’s design. Moreover, we show that this design which uses two special normal basis for GF(16) and GF(4) is the smallest. We shall also prove the security of this design using some lemmas.


Composite field arithmetic AES Masking Side-Channel Attack 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akkar, M.-L., Giraud, C.: An Implementation of DES and AES, Secure against Some Attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 309–318. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Canright, D.: A Very Compact Rijndael S-box.Technical Report NPS-MA-04- 001, Naval Postgraduate School (September 2004),
  3. 3.
    Golić, J.D., Tymen, C.: Multiplicative Masking and Power Analysis of AES. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 198–212. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Conway, J.H.: On Numbers and Games. 2nd edn., AK Peters (2001)Google Scholar
  5. 5.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  6. 6.
    Mangard, S., Popp, T., Gammel, B.M.: Side-Channel Leakage of Masked CMOS Gates. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 351–365. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Mangard, S., Pramstaller, N., Oswald, E.: Successfully Attacking Masked AES Hardware Implementations. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 157–171. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Mangard, S., Schramm, K.: Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 76–90. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Mentens, N., Batina, L., Preneel, B., Verbauwhede, I.: A Systematic Evaluation of Compact Hardware Implementations for the Rijndael S-box. In: Menezes, A.J. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 323–333. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    National Institute of Standards and Technology (NIST). FIPS-197: Advanced Encryption Standard (November 2001), available online at:
  11. 11.
    Oswald, E., Mangard, S., Pramstaller, N., Rijmen, V.: A Side-Channel Analysis Resistant Description of the AES S-box. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 21–23. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Pramstaller, N., Oswald, E., Mangard, S., Gürkaynak, F.K., Haene, S.: A Masked AES ASIC Implementation. In: Austrochip 2004, Villach, Austria, October 8th, 2004, pp. 77–82 (2004)Google Scholar
  13. 13.
    Rudra, A., Dubey, P., Julta, C., Kumar, V., Rao, J., Rohatgi, P.: Efficient Rijndael implementation with composite field arithmetic. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 175–188. Springer, Heidelberg (2001)Google Scholar
  14. 14.
    Satoh, A., Morioka, S., Takano, K., Munetoh, S.: A compact Rijndael hardware architecture with S-Box optimization. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 239–254. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Trichina, E., Korkishko, T.: Secure AES Hardware Module for Resource Constrained Devices. In: Castelluccia, C., Hartenstein, H., Paar, C., Westhoff, D. (eds.) ESAS 2004. LNCS, vol. 3313, pp. 215–229. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Zhou, Y.B., Feng, D.G.: Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing. Cryptology ePrint Archive, Report 2005/388 (2005),

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Babak Zakeri
    • 1
  • Mahmoud Salmasizadeh
    • 1
    • 2
  • Amir Moradi
    • 3
  • Mahmoud Tabandeh
    • 1
  • Mohammad T. Manzuri Shalmani
    • 3
  1. 1.School of Electrical EngineeringIndia
  2. 2.Electronic Research CenterAustralia
  3. 3.Department of Computer Engineering, Sharif University of Technology, Azadi St., TehranIran

Personalised recommendations