This contribution is concerned with bit parallel inverters over finite fields. Two alternative approaches for inversion with low complexity which were proposed in the late nineteen eighties will be reviewed. Previously they seem to have received relatively little attention in the scientific community. Both methods are based on multiple field extension of GF (2). We will try to restate the two algorithms in a clear fashion. It will be shown that one architecture is a generalization of the other's architecture core algorithm. As an impressive example of the advantage of inverters operating over extension fields, the optimized complexity of a bit parallel inverter in the important field GF (2 8 ) will be computed, resulting in a surprisingly low gate count. 1 Introduction Galois field arithmetic has wide spread applications in contemporary communication systems, in particular in cryptography and in channel coding. Modern applications in many cases call for VLSI implementations of the a...

This paper describes the efficient implementation of Maximum Distance Separable (MDS) mappings and Substitution-boxes (S-boxes) in gate-level hardware for application to Substitution-Permutation Network (SPN) block cipher design. Different implementations of parameterized MDS mappings and S-boxes are evaluated using gate count as the space complexity measure and gate levels traversed as the time complexity measure. On this basis, a method to optimize MDS codes for hardware is introduced by considering the complexity analysis of bit parallel multipliers. We also provide a general architecture to implement any invertible S-box which has low space and time complexities. As an example, two efficient implementations of Rijndael, the Advanced Encryption Standard (AES), are considered to examine the different tradeoffs between speed and time.

Abstract. This work proposes a compact implementation of the AES S-box using composite field arithmetic in GF(((2 2) 2) 2). It describes a systematic exploration of different choices for the irreducible polynomials that generate the extension fields. It also examines all possible transformation matrices that map one field representation to another. We show that the area of Satoh’s S-box, which is the most compact to our knowledge, is at least 5 % away from an optimal solution. We implemented this optimal solution and Satoh’s design using a 0.18 µm standard cell library. Keywords: AES, S-box, inversion in GF (2 n), composite fields, smart card implementation

Abstract. Implementations of the Advanced Encryption Standard (AES), including hardware applications with limited resources (e.g., smart cards), may be vulnerable to “side-channel attacks ” such as differential power analysis. One countermeasure against such attacks is adding a random mask to the data; this randomizes the statistics of the calculation at the cost of computing “mask corrections. ” The single nonlinear step in each AES round is the “S-box ” (involving a Galois inversion), which incurs the majority of the cost for mask corrections. Oswald et al.[1] showed how the “tower field ” representation allows maintaining an additive mask throughout the Galois inverse calculation. This work applies a similar masking strategy to the most compact (unmasked) S-box to date[2]. The result is the most compact masked S-box so far, with “perfect masking” (by the definition of Blömer[3]) giving suitable implementations immunity to first-order differential side-channel attacks. keywords: AES, S-box, masking, DPA, composite Galois field

Abstract. We introduce an efficient method for computing Montgomery products of polynomials in the frequency domain. The discrete Fourier transform (DFT) based method originally proposed for integer multiplication provides an extremely efficient method with the best asymptotic complexity, i.e. O(m log m log log m), for multiplication of m-bit integers or (m − 1) st degree polynomials. However, the original DFT method bears significant overhead due to the conversions between the time and the frequency domains which makes it impractical for short operands as used in many applications. In this work, we introduce DFT modular multiplication which performs the entire modular multiplication (including the reduction step) in the frequency domain, and thus eliminates costly back and forth conversions. We show that, especially in computationally constrained platforms, multiplication of finite field elements may be achieved more efficiently in the frequency domain than in the time domain for operand sizes relevant to elliptic curve cryptography (ECC). To the best of our knowledge, this is the first work that proposes the use of frequency domain arithmetic for ECC and shows that it can be efficient. Key Words: Finite field multiplication, DFT, elliptic curve cryptography. 1

We explore the use of subfield arithmetic for efficient implementations Galois Field arithmetic in the context of Rijndael cipher.

Abstract. A vast amount of literature on stream ciphers is directed to the cryptanalysis of LFSR-based filters and combiners, resulting in various attack models such as distinguishing attacks, (fast) correlation attacks and (fast) algebraic attacks. However, very little is known on the combined effects of these attacks and the resulting cryptographic requirements. In this paper, we present a unified framework for the security of a design against these attacks based on the properties of the LFSR(s) and the Boolean function used. It is explained why building nonlinear filters seems more practical than building nonlinear combiners. We also investigate concrete building blocks that offer a good trade-off in their resistance against these various attacks, and can at the same time be used to build a low-cost synchronous stream cipher for hardware applications.

We propose techniques to utilize the data parallelism capabilities of a SIMD architecture in computations involving Galois Field arithmetic. Galois Field arithmetic nds wide use in engineering applications, including error-correcting codes and cryptography. Often these applications involve extensive arithmetic on small (8-bit) numbers, and straightforward implementations may highly under-utilize the wide-word capabilities of a SIMD processor.

Abstract. So far, efficient algorithmic countermeasures to secure the AES algorithm against (first-order) differential side-channel attacks have been very expensive to implement. In this article, we introduce a new masking countermeasure which is not only secure against first-order side-channel attacks, but which also leads to relatively small implementations compared to other masking schemes implemented in dedicated hardware. Our approach is based on shifting the computation of the finite field inversion in the AES S-box down to GF (4). In this field, the inversion is a linear operation and therefore it is easy to mask. Summarizing, the new masking scheme combines the concepts of multiplicative and additive masking in such a way that security against first-order side-channel attacks is maintained, and that small implementations in dedicated hardware can be achieved.

Abstract—This paper describes a method of construction of a composite field representation from a given binary field representation. We derive the conversion (change of basis) matrix. The special case of when the degree of the ground field is relatively prime to the extension degree, where the irreducible polynomial generating the composite field has its coefficients from the binary prime field rather than the ground field, is also treated. Furthermore, certain generalizations of the proposed construction method, e.g., the use of nonprimitive elements and the construction of composite fields with special irreducible polynomials, are also discussed. Finally, we give storage-efficient conversion algorithms between the binary and composite fields when the degree of the ground field is relatively prime to the extension degree. Index Terms—Composite and binary fields, primitive element, change of basis, AES. 1