A More Compact AES

  • David Canright
  • Dag Arne Osvik
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5867)


We explore ways to reduce the number of bit operations required to implement AES. One way involves optimizing the composite field approach for entire rounds of AES. Another way is integrating the Galois multiplications of MixColumns with the linear transformations of the S-box. Combined with careful optimizations, these reduce the number of bit operations to encrypt one block by 9.0%, compared to earlier work that used the composite field only in the S-box. For decryption, the improvement is 13.5%. This work may be useful both as a starting point for a bit-sliced software implementation, where reducing operations increases speed, and also for hardware with limited resources.


AES tower field composite Galois field bitslice 


  1. 1.
    Rudra, A., Dubey, P.K., Jutla, C.S., Kumar, V., Rao, J.R., Rohatgi, P.: Efficient Rijndael encryption implementation with composite field arithmetic. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 171–184. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Satoh, A., Morioka, S., Takano, K., Munetoh, S.: A compact Rijndael hardware architecture with S-box optimization. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 239–254. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Wolkerstorfer, J., Oswald, E., Lamberger, M.: An ASIC implementation of the AES S-boxes. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 67–78. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Chodowiec, P., Gaj, K.: Very compact FPGA implementation of the AES algorithm. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 319–333. Springer, Heidelberg (2003)Google Scholar
  5. 5.
    Feldhofer, M., Wolkerstorfer, J., Rijmen, V.: AES implementation on a grain of sand. In: IEE Proceedings on Information Security, IEE, vol. 152, pp. 13–20 (2005)Google Scholar
  6. 6.
    Rijmen, V.: Efficient implementation of the Rijndael S-box (2001),
  7. 7.
    Paar, C.: Efficient VLSI Architectures for Bit-Parallel Computation in Galois Fields. PhD thesis, Institute for Experimental Mathematics, University of Essen, Germany (1994)Google Scholar
  8. 8.
    Canright, D.: A very compact S-box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Rebeiro, C., Selvakumar, D., Devi, A.: Bitslice implementation of AES. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 203–212. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Boyar, J., Peralta, R.: New logic minimization techniques with applications to cryptology. Cryptology ePrint Archive, Report 2009/191 (2009),
  11. 11.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant aes-gcm. Cryptology ePrint Archive, Report 2009/129 (2009),
  12. 12.
    NIST: Specification for the Advanced Encryption Standard (AES), FIPS PUB 197 (2001)Google Scholar
  13. 13.
    Bernstein, D.J., Schwabe, P.: New aes software speed records. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 322–336. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Daemen, J., Rijmen, V.: AES proposal: Rijndael (1999),
  15. 15.
  16. 16.
    Canright, D.: A very compact Rijndael S-box. Technical Report NPS-MA-05-001, Naval Postgraduate School (2005)Google Scholar
  17. 17.
    Osvik, D.A.: Speeding up Serpent. In: AES Candidate Conference, pp. 317–329 (2000)Google Scholar
  18. 18.
    Intel: Advanced encryption standard (AES) instructions set, rev. 2 (2009),

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • David Canright
    • 1
  • Dag Arne Osvik
    • 2
  1. 1.Naval Postgraduate SchoolMontereyUSA
  2. 2.École Polytechnique Fédérale de Lausanne 

Personalised recommendations