Yawen Wang, Sini Bin, Shikai Zhu, Xiaoting Hu^*
College of Computer Science & Technology, Jiangsu Normal University, Xuzhou, China.
DOI: 10.4236/jcc.2024.124016   PDF    HTML   XML   26 Downloads   125 Views   Citations

Abstract

The SubBytes (S-box) transformation is the most crucial operation in the AES algorithm, significantly impacting the implementation performance of AES chips. To design a high-performance S-box, a segmented optimization implementation of the S-box is proposed based on the composite field inverse operation in this paper. This proposed S-box implementation is modeled using Verilog language and synthesized using Design Complier software under the premise of ensuring the correctness of the simulation result. The synthesis results show that, compared to several current S-box implementation schemes, the proposed implementation of the S-box significantly reduces the area overhead and critical path delay, then gets higher hardware efficiency. This provides strong support for realizing efficient and compact S-box ASIC designs.

Keywords

Advanced Encryption Standard (AES), S-Box, Tower Field, Hardware Implementation, Application Specific Integration Circuit (ASIC)

Share and Cite:

1. Introduction

Advanced Encryption Standard (AES) is one of the most important block encryption algorithms at present and has been widely applied in various fields, such as communication, network security, e-commerce, and so on. In this algorithm, the plaintext is fixed at 128 bits, while its key length can vary between 128,192 and 256 bits. This algorithm arranges the 128-bit plaintext into a 4 ´ 4 state matrix by byte, and then encrypts the plaintext through multiple iterations of the round function which includes SubBytes (S-box), ShiftRow, and MixColumnand AddRoundKey operations. The number of iterations of encryption is determined by the length of the key 10 iterations for the 128-bit key, 12 iterations for a 192-bit key, and 14 iterations for a 256-bit key. Among these operations in the AES algorithm, S-box transformation is the only nonlinear transformation that plays a crucial role in the security of the encryption algorithm [1] . It makes cryptanalysis more difficult by adding confusion and diffusion and ensuring the security of the AES algorithm. However, its complexity largely impacts AES implementation performance.

Researchers have focused on improving the performance of S-box implementation through two methods: the look-up table method (LUT) [2] [3] and the algebraic method [4] [5] . The LUT method can transform complex nonlinear operations into simple look-up table operations, reducing the complexity and difficulty of implementation, but it has drawbacks like high area overhead and vulnerability to attack. In the algebraic method, the S-box is implemented based on the logical expression between inputs and outputs. Compared with the LUT method, the algebraic method does not need to calculate and store 256 predefined values of S-Box in ROM, resulting in a smaller area overhead. However, this kind of method involves the complex computation of the multiplicative inversion in finite field GF(2⁸), which leads to low processing speed.

To achieve a better tradeoff between area overhead and speed for S-box implementation, the research has explored various strategies. Wang et al. [6] modified the affine transformation part of the S-box by using a pipeline, and proposed an area optimized combinational logic S-box implementation of AES. QIN et al. [7] obtained the logic expressions of the S-box and inverse S-box in the AES algorithm through the improved Q-M simplifying method, which reduced the delay, area, and power of the circuit. However, due to the bottleneck of multiplication inversion operation, this kind of improvement is limited. To address the bottleneck, a method based on composite fields was proposed [8] [9] . Using this method, one can convert the multiplicative inversion in GF(2⁸) to low-order fields such as GF(2⁴), GF(2²), and GF(2) through isomorphic mapping, thereby reducing the complexity of multiplicative inversion and improving the efficiency of S-box processes. However, the implementation performance of S-box based on composite fields is related to the selection of low-order fields and their representation basis. To address this issue, several scholars have conducted extensive research on the selection of isomorphic matrix or polynomial basis and have proposed various optimization schemes of S-box [10] [11] [12] [13] . R. Ueno et al. [14] used different polynomial basis and Galois field arithmetic to optimize the inversion circuit, and proposed an efficient and compact S-box architecture. Some structural optimization schemes have also been proposed to improve the performance of the S-box. A. Reyhani-Masoleh et al. [15] mapped the finite field GF(2⁸) to tower fields and proposed the structure of S-box and inverse S-box combination. Y.-T. TENG et al. [16] adopted a pipeline architecture based on composite fields and combined S-box and inverse S-box to achieve optimization effects. In [17] [18] , an optimization scheme of the S-box is proposed by changing the order and structure of affine transformation and multiplication inversion. In addition, the method of combining combinational logic simplification technique with composite fields is often used to optimize the S-box implementation. A. Nakashima et al. [19] optimized the isomorphic mapping logic by combining multiplicative and exponential offsets. S. -H LIN et al. [20] proposed a S-box structure of a seven-stage hardware pipeline system with high throughput based on composite fields, logic optimization technology and pipeline-flow technology.

In this paper, we propose a low-area, high-performance S-box ASIC (Application Specific Integration Circuit) implementation by combining composite fields, the Karnaugh map simplification technique, the Input Variable Bypass Technique (IVB) [21] and other combinational logic simplification techniques. The main contributions of this paper are as follows:

1) We merged the inverse isomorphism and affine transformation into one matrix transform, which simplifies the implementation of the S-box and reduces the area overhead.

2) Based on composite fields, we map the multiplicative inversion in GF(2⁸), GF(2⁴) and GF(2²) to GF((2⁴)²), GF((2²)²) and GF(2) respectively. This approach reduces the complexity of multiplicative inversion.

3) We proposed a high efficiency of S-box architecture based on segmented optimization by combing different logic simplification techniques and exploring different segment combinations.

The organization of the remaining sections of this paper is as follows: Section 2 introduces basic theoretical background of this research topic in this paper. Section 3 describes the segmented optimization S-box structure proposed in this paper. Section 4 presents the logic derivation and optimization of each module in the proposed structure. Section 5 provides the experiment result and performance evaluation. Finally, in Section 6, this paper is concluded.

2. Preliminaries

2.1. GF(2⁸) and Its Operations

GF(2⁸) is a finite field with 256 elements. These elements can be represented in 8-bit binary or as polynomials of degrees less than 8 with coefficients in GF(2). Suppose an element $a\in \text{GF}\left(2^8\right)$ and its binary form is $a_{\text{7}}{a}_{\text{6}}{a}_{\text{5}}{a}_{\text{4}}{a}_{\text{3}}{a}_{\text{2}}{a}_1{a}_0$ , then its corresponding polynomial representation is shown in Equation (1).

$a\left(x\right)=a_7{x}^7+a_6{x}^6+\cdots +a_{1}x+a_{\text{0}}\left(a_i\in \text{GF}\left(2\right)\right)$ (1)

The operations in GF(2⁸) include addition/subtraction, multiplication, inversion, and other operations. The addition/subtraction operation here ( $\oplus$ ) is a bitwise XOR operation which, in polynomial representation, corresponds to the XOR of coefficients of the same terms.

The multiplication operation is modular multiplication ( $\otimes$ ). It involves two steps: polynomial multiplication and reduction modulo an irreducible polynomial $m\left(x\right)$ . Let $a\left(x\right)$ and $b\left(x\right)$ be elements in GF(2⁸) and $c\left(x\right)$ be their product. Then $c\left(x\right)=a\left(x\right)\times b\left(x\right)\mathrm{mod}m\left(x\right)$ .

The multiplicative inverse $a^{-1}\left(x\right)$ of $a\left(x\right)$ in GF(2⁸) is defined as the element that satisfies $a\left(x\right)\times b\left(x\right)\mathrm{mod}m\left(x\right)=1$ .

Note that, in the AES algorithm, irreducible polynomial in GF(2⁸) is specified as $m\left(x\right)=x^8+x^4+x^3+x+1$ .

2.2. The Fundamental Construction Principle of the S-Box Based on Composite Fields

The original S-box transformation in the AES algorithm consists of two parts: multiplicative inversion and affine transformation in GF(2⁸). Its algebraic expression is shown as Equation (2):

$S_b\left[x\right]=A{x}^{-1}\oplus 63\text{H}$ (2)

where $x$ , $S_b\left[x\right]\in \text{GF}\left({\text{2}}^{\text{8}}\right)$ are the 8-bit input and output of the S-box respectively. $x^{-1}$ is the inversion of x, and A is affine transformation matrix.

$A=\left[\begin{array}{cccccccc}1& 1& 1& 1& 1& 0& 0& 0\\ 0& 1& 1& 1& 1& 1& 0& 0\\ 0& 0& 1& 1& 1& 1& 1& 0\\ 0& 0& 0& 1& 1& 1& 1& 1\\ 1& 0& 0& 0& 1& 1& 1& 1\\ 1& 1& 0& 0& 0& 1& 1& 1\\ 1& 1& 1& 0& 0& 0& 1& 1\\ 1& 1& 1& 1& 0& 0& 0& 1\end{array}\right]$ .

As mentioned above, in the S-box transformation, the operation to find the inversion element of x is the most complex and time-consuming. Traditionally, the extended Euclidean algorithm is employed for inversion in GF(2⁸), but its hardware implementation efficiency is not high. Therefore, the method of solving inversion based on composite fields was proposed. The key idea of this method is to transform the inversion operation in high-order fields into low-order fields, thus reducing the complexity of the inverse algorithm. Specifically, the implementation of the S-box based on composite fields can be divided into four steps:

1) Mapping an element q in GF(2⁸) to $q^{\prime }$ in the composite field GF(2⁴)² by using an isomorphic matrix so that $q^{\prime }$ can be represented as $bx+c$ in GF(2⁴)² where $b,c\in \text{GF}\left({\text{2}}^{\text{4}}\right)$ .

2) Using Equation (3) to find the multiplicative inverse of $q^{\prime }$ in GF((2⁴)²) [22] .

$\begin{array}{c}{q^{\prime }}^{-1}={\left(bx+c\right)}^{-1}\\ =b{\left(b^2\lambda \oplus bc\beta \oplus c^2\right)}^{-1}x+\left(c\oplus b\beta \right){\left(b^2\lambda \oplus bc\beta \oplus c^2\right)}^{-1}\end{array}$ (3)

3) Converting ${q^{\prime }}^{-1}$ in GF(2⁴)² into $q^{-1}$ in GF(2⁸) by using the inverse of isomorphic matrix.

4) Performing the operation $A{q}^{-1}\oplus 63\text{H}$ to get final the output of S-box $S_b\left[q\right]$ .

Note that β and l in Equation (3) are the coefficients of the irreducible polynomial $x^2+\beta x+\lambda$ chosen for multiplication when mapping GF(2⁸) to GF((2⁴)²).

3. Proposed S-Box Architecture Based on Segmented Optimization

This section presents a segmented optimized S-box architecture. As shown in Figure 1, this architecture consists of an isomorphic mapping module, an inversion module in composite fields and a merged module of inverse isomorphism and affine transformation. The functions of each module are described as follows:

The isomorphic mapping module: To convert an 8-bit element q (be regarded as a column vector) in GF(2⁸) into $q^{\prime }$ in GF((2⁴)²) by multiplying q by the isomorphic matrix d. That is $q^{\prime }=\delta q$ .

The inversion module in composite fields: To calculate the inversion of $q^{\prime }$ in GF((2⁴)²). The inversion operation is completed by three steps F₁, F₂, F₃. All operations in submodules F₁, F₂, F₃ are 4-bit operations in the low-order field GF(2⁴) which largely reduces the computational complexity.

The merged module of inverse isomorphism and affine transformation: To complete the operation $a=A{\delta }^{-1}{q^{\prime }}^{-1}\oplus 63\text{H}$ equivalently by replacing $A{\delta }^{-1}$ with a merged matrix B and optimizing XOR constant operation where ${\delta }^{-1}$ represent the inverse isomorphism matrix.

4. Logic Derivation and Optimizations

In this section, we present the logic derivation for three modules and corresponding sub-segments in each module shown in Figure 1 in Section 3.

4.1. The Isomorphic Mapping Module

When calculating multiplicative inverses in GF(2⁸) based on composite fields, the first step is to map the elements in GF(2⁸) to the composite field GF((2⁴)²) using by multiplying an isomorphic matrix, but these isomorphic matrix is not fixed because the elements in GF((2⁴)²) can be generated by different irreducible polynomials. It implies that there exists diversity in the isomorphic mapping matrix from elements in GF(2⁸) to GF((2⁴)²). To optimize the implementation performance of the isomorphic mapping module in S-box, it is necessary to carefully to select appropriate irreducible polynomials to get the best isomorphic matrix, thereby reducing critical path delay and area overhead. Refer to [22] , we choose the isomorphic matrix δ as shown in Equation (4).

$\delta =\left[\begin{array}{cccccccc}1& 0& 1& 0& 0& 0& 0& 0\\ 1& 1& 0& 1& 1& 1& 1& 0\\ 1& 0& 1& 0& 1& 1& 0& 0\\ 1& 0& 1& 0& 1& 1& 1& 0\\ 1& 1& 0& 0& 0& 1& 1& 0\\ 1& 0& 0& 1& 1& 1& 1& 0\\ 0& 1& 0& 1& 0& 0& 1& 0\\ 0& 1& 0& 0& 0& 0& 1& 1\end{array}\right]$ (4)

Assuming that the input of the S-box is $q={\left[q_7,q_6,q_5,q_4,q_3,q_2,q_1,q_0\right]}^{\text{T}}$ , the expression for the output of the isomorphic mapping module is shown as Equation (5).

$\delta \times q=q^{\prime }=\left[\begin{array}{l}{b}_3\\ b_2\\ b_1\\ b_0\\ c_3\\ c_2\\ c_1\\ c_0\end{array}\right]=\left[\begin{array}{c}{q}_7\oplus q_5\\ q_7\oplus q_6\oplus q_4\oplus q_3\oplus q_2\oplus q_1\\ q_7\oplus q_5\oplus q_3\oplus q_2\\ q_7\oplus q_5\oplus q_3\oplus q_2\oplus q_1\\ q_7\oplus q_6\oplus q_2\oplus q_1\\ q_7\oplus q_4\oplus q_3\oplus q_2\oplus q_1\\ q_6\oplus q_4\oplus q_1\\ q_6\oplus q_1\oplus q_0\end{array}\right]$ (5)

where b₃b₂b₁b₀ represents the high 4 bits of output $q^{\prime }$ , and c₃c₂c₁c₀ represents the low 4 bits of output $q^{\prime }$ .

4.2. The Inversion Module in Composite Fields

To obtain the multiplicative inverse of $q^{\prime }$ in GF((2⁴)²) expressed as Equation (3), we decompose Equation (3) into F₁, F₂ and F₃ as shown in Equation (6), (7) and (8), and use the recursive deduction method to get the logical expressions of F₁, F₂ and F₃.

${\text{F}}_1=b^2\lambda \oplus bc\beta \oplus c^2$ (6)

${\text{F}}_2={\left({\text{F}}_1\right)}^{-1}$ (7)

${\text{F}}_3=b{\text{F}}_2\left|\right|\left(c\oplus b\beta \right){\text{F}}_2$ (8)

where the symbol “||” in Equation (8) represents concatenation.

In order to optimize the implementation, we select β = 1, λ = 1100 b to be the coefficients of the generating polynomial $m_1\left(x\right)=x^2+\beta x+\lambda$ of the composite field GF((2⁴)²), then Equations (6), (7) and (8) are simplified to (9), (10), (11).

${\text{F}}_1=b^2\lambda \oplus bc\oplus c^2$ (9)

${\text{F}}_2={\left({\text{F}}_1\right)}^{-1}$ (10)

${\text{F}}_3=b{\text{F}}_2\left|\right|\left(c\oplus b\right){\text{F}}_2$ (11)

Note that, when calculating inversion in composite fields, three types of irreducible polynomials are required to complete the operation conversion from the high-order field to the low-order field. To simplify the following expression, we list the three types of polynomials as shown in Table 1.

4.2.1. F₁ Module

Figure 2 shows the calculation process of F₁. Next, we will deduce and optimize the logic expression for each step in Figure 2.

1) b² operation in GF(2⁴)

As can be seen from Figure 2, we let $k=b^2=k_3{k}_2{k}_1{k}_0={\left(b_3{b}_2{b}_1{b}_0\right)}^2$ , then this operation can be expressed as the form in GF((2²)²) shown in Equation (12).

$\begin{array}{c}k=b^2={\left(b_{H}x+b_L\right)}^2\mathrm{mod}{m}_2\left(x\right)\\ =b_H^{2}x+\left(b_H^2\phi \oplus b_L^2\right)\\ =k_{H}x+k_L\end{array}$ (12)

where $k_H=k_3{k}_2$ , $k_L=k_1{k}_0$ , $b_H=b_3{b}_2$ , $b_L=b_1{b}_0$ , $m_2\left(x\right)$ (see Table 1) is an irreducible generating polynomial for GF((2²)²). Obviously,

$k_H=b_H^2;k_L=b_H^2\phi \oplus b_L^2$ . (13)

Then one can further decompose the operation $b_H^2$ and $b_L^2$ in GF(2²) to GF(2) to get Equation (14):

$\{\begin{array}{l}{b}_H^2={\left(b_{3}x+b_2\right)}^2\mathrm{mod}{m}_3\left(x\right)=b_{3}x+\left(b_3\oplus b_2\right)\\ b_L^2={\left(b_{1}x+b_0\right)}^2\mathrm{mod}{m}_3\left(x\right)=b_{1}x+\left(b_1\oplus b_0\right)\end{array}$ (14)

where $m_3\left(x\right)$ (see Table 1) is an irreducible generating polynomial in GF(2).

By combining Equation (13), (14), we can obtain Equation (15).

$\{\begin{array}{l}{k}_H=b_{3}x+\left(b_3\oplus b_2\right)=k_{3}x+k_2\\ k_L=\left(b_1\oplus b_2\right)x+\left(b_0\oplus b_1\oplus b_3\right)=k_{1}x+k_0\end{array}$ (15)

According to Equation (15), we can get the expression of k as shown in equation (16).

$\{\begin{array}{l}{k}_3=b_3\\ k_2=b_2\oplus b_3\\ k_1=b_1\oplus b_2\\ k_0=b_0\oplus b_1\oplus b_3\end{array}$ (16)

2) $t=b^2\lambda$ operation

As mentioned above, in order to optimize the expression, we choose $\lambda ={\left\{1100\right\}}_2$ and let

$t=b^2\lambda =k\lambda =t_3{t}_2{t}_1{t}_0=\left(k_3{k}_2{k}_1{k}_0\right)\otimes \lambda$ .

Then, the polynomial representation of t can be written as Equation (17).

$\begin{array}{c}t=\left(k_{H}x+k_L\right)\left({\lambda }_{H}x+{\lambda }_L\right)\mathrm{mod}{m}_2\left(x\right)\\ =\left(k_H{\lambda }_H{x}^2+k_H{\lambda }_{L}x+k_L{\lambda }_{H}x+k_L{\lambda }_L\right)\mathrm{mod}{m}_2\left(x\right)\\ =\left(k_L{\lambda }_H\oplus k_H{\lambda }_H\right)x+k_H{\lambda }_H\phi \\ =t_{H}x+t_L\end{array}$ (17)

where $t_H=t_3{t}_2$ , $t_L=t_1{t}_0$ , ${\lambda }_H=11$ , ${\lambda }_L=00$ .

Using similar derivation method used for k, $t_H$ and $t_L$ can be expressed as Equation (18).

$\{\begin{array}{l}{t}_H=k_L{\lambda }_H\oplus k_H{\lambda }_H\\ =\left(\left(k_{1}x+k_0\right)\left(x+1\right)+\left(k_{3}x+k_2\right)\left(x+1\right)\right)\mathrm{mod}{m}_3\left(x\right)\\ =\left(k_0\oplus k_2\right)x+\left(k_0\oplus k_1\oplus k_2\oplus k_3\right)\\ =t_{3}x+t_2\\ t_L=k_H{\lambda }_H\phi \\ =\left[\left(k_{3}x+k_2\right)\left(x+1\right)x\right]\mathrm{mod}{m}_3\left(x\right)\\ =k_{3}x+k_2\\ =t_{1}x+t_0\end{array}$ (18)

Then we can get the expression of t as Equation (19).

$\{\begin{array}{l}{t}_3=k_0\oplus k_2\\ t_2=k_0\oplus k_1\oplus k_2\oplus k_3\\ t_1=k_3\\ t_0=k_2\end{array}$ (19)

3) $s=c\left(b\oplus c\right)$ operation

For s, we let $m_i=b_i\oplus c_i$ , then the expression of s can be written as Equation (20).

$\{\begin{array}{l}{s}_3=c_3{m}_2\oplus c_2{m}_3\oplus c_3{m}_0\oplus c_0{m}_3\oplus c_2{m}_1\oplus c_1{m}_2\oplus c_3{m}_3\oplus c_3{m}_1\oplus c_1{m}_3\\ s_2=c_2{m}_2\oplus c_2{m}_0\oplus c_0{m}_2\oplus c_3{m}_3\oplus c_3{m}_1\oplus c_1{m}_3\\ s_1=c_1{m}_0\oplus c_0{m}_1\oplus c_2{m}_2\oplus c_1{m}_1\oplus c_3{m}_2\oplus c_2{m}_3\\ s_0=c_0{m}_0\oplus c_1{m}_1\oplus c_3{m}_2\oplus c_2{m}_3\oplus c_3{m}_3\end{array}$ (20)

By combining Equations (16), (19), (20) and simplifying them, we can obtain the logic expression of e as Equation (21).

$\{\begin{array}{l}{e}_3=b_0\overline{c_3}\oplus b_1\overline{c_2}\oplus b_2\overline{c_1}\oplus c_3{b}_2\oplus c_2{b}_3\oplus c_0{b}_3\oplus c_3\overline{b_3}\oplus c_3{b}_1\oplus c_1{b}_3\\ e_2=\overline{c_2}{b}_0\oplus \overline{c_1}{b}_3\oplus c_2\overline{b_2}\oplus c_0{b}_2\oplus c_3\overline{b_3}\oplus c_3{b}_1\\ e_1=c_1{b}_0\oplus c_0{b}_1\oplus c_2\overline{b_2}\oplus c_1\overline{b_1}\oplus c_3{b}_2\oplus \overline{c_2}{b}_3\\ e_0=c_0\overline{b_0}\oplus c_1\overline{b_1}\oplus \overline{c_3}{b}_2\oplus \overline{c_2}{b}_3\oplus c_3\overline{b_3}\end{array}$ (21)

4.2.2. F₂ Module

The F₂ module is used to calculate the inversion in GF(2⁴). To derive and simplify the output expression of F₂, we first utilize the idea of tower fields to partition the operation in F₂ into three parts: G₁, G₂ and G₃, as depicted in Figure 3. Subsequently, after obtaining the logic expression of G₁, G₂ and G₃, we merge them into an expression. Finally, we employ Karnaugh map simplification technique, input variable bypass technique [21] and other logic simplification technique to further simplify and obtain the output of F₂.

Specifically, according to the idea of tower fields, the G₁, G₂ and G₃ can be expressed as Equation (22).

$\{\begin{array}{l}{\text{G}}_1=e_H^2\phi \oplus e_L\left(e_H\oplus e_L\right)\\ {\text{G}}_2={\left({\text{G}}_1\right)}^{-1}\\ {\text{G}}_{\text{3}}=e_H{\text{G}}_2\left|\right|\left(e_H\oplus e_L\right){\text{G}}_2\end{array}$ (22)

where $e_H=e_3{e}_2$ , $e_L=e_1{e}_0$ .

For G₁, we first get Equation (23), then obtain the expression of G₁ as shown in equation (24) by combining Equations (22) and (23) and simplifying them.

$\{\begin{array}{l}{e}_H^2=\left(e_3,e_2\oplus e_3\right)\\ e_H^2\phi =\left(e_2,e_3\right)\\ e_L\left(e_H\oplus e_L\right)=\left(e_1\overline{e_3}\oplus e_0{e}_3\oplus e_1{e}_2,e_1\overline{e_3}\oplus e_0\overline{e_2}\right)\end{array}$ (23)

$\begin{array}{l}{\text{G}}_1=\left(h_1,h_0\right)\\ =\left(e_1\overline{e_3}\oplus e_0{e}_3\oplus e_2\overline{e_1},e_3\oplus e_1\overline{e_3}\oplus e_0\overline{e_2}\right)\end{array}$ (24)

For G₂, we directly use the simplification method of Karnaugh map to obtain its output expression as shown in Equation (25).

$\{\begin{array}{l}{h}_1\text{'}=h_1\\ h_0\text{'}=h_1\oplus h_0\end{array}$ (25)

Finally, by combining with Equation (24) and (25) and G₃ in Equation (22) and simplifying the expression combined, we obtain the expression of F₂ as shown in Equation (26).

$\{\begin{array}{l}{y}_3=\overline{e_0}{e}_3\oplus e_1{e}_2\overline{e_3}\oplus \overline{e_1}{e}_2\\ y_2=e_0\overline{e_2}{e}_3\oplus e_1{e}_2{e}_3\oplus \overline{e_1}{e}_2\\ y_1=e_1\oplus e_0{e}_1\overline{e_2}\oplus e_3\oplus e_1{e}_2\overline{e_3}\oplus \overline{e_0}\overline{e_1}{e}_2\oplus e_0{e}_1\overline{e_3}\\ y_0=e_1{e}_2\oplus e_1\overline{e_2}\overline{e_3}\oplus \overline{e_0}\overline{e_1}{e}_2\oplus e_0{e}_1{e}_3\oplus e_0\overline{e_2}\overline{e_3}\end{array}$ (26)

4.2.3. F₃ Module

As shown in Figure 1, b, c and y are the inputs of F₃, then we can derive to get the output expression of F₃ ${q^{\prime }}_7{}^{-1}{q^{\prime }}_6{}^{-1}{q^{\prime }}_5{}^{-1}{q^{\prime }}_4{}^{-1}{q^{\prime }}_3{}^{-1}{q^{\prime }}_2{}^{-1}{q^{\prime }}_1{}^{-1}{q^{\prime }}_0{}^{-1}$ as shown in Equation (27).

$\{\begin{array}{l}{q^{\prime }}_7{}^{-1}=y_3\left(b_0\oplus b_1\oplus b_2\oplus b_3\right)\oplus y_2\left(b_1\oplus b_3\right)\oplus y_1\left(b_2\oplus b_3\right)\oplus y_0{b}_3\\ {q^{\prime }}_6{}^{-1}=y_3\left(b_1\oplus b_3\right)\oplus y_2\left(b_0\oplus b_2\right)\oplus y_1{b}_3\oplus y_0{b}_2\\ {q^{\prime }}_5{}^{-1}=y_3{b}_2\oplus y_2\left(b_2\oplus b_3\right)\oplus y_1\left(b_0\oplus b_1\right)\oplus y_0{b}_1\\ {q^{\prime }}_4{}^{-1}=y_3\left(b_2\oplus b_3\right)\oplus y_2{b}_3\oplus y_1{b}_1\oplus y_0{b}_0\\ {q^{\prime }}_3{}^{-1}=y_3\left(b_0\oplus c_0\oplus b_1\oplus c_1\oplus b_2\oplus c_2\oplus b_3\oplus c_3\right)\\ \oplus y_2\left(b_1\oplus c_1\oplus b_3\oplus c_3\right)\oplus y_1\left(b_2\oplus c_2\oplus b_3\oplus c_3\right)\oplus y_0\left(b_3\oplus c_3\right)\\ {q^{\prime }}_2{}^{-1}=y_3\left(b_1\oplus c_1\oplus b_3\oplus c_3\right)\oplus y_2\left(b_0\oplus c_0\oplus b_2\oplus c_2\right)\\ \oplus y_1\left(b_3\oplus c_3\right)\oplus y_0\left(b_2\oplus c_2\right)\\ {q^{\prime }}_1{}^{-1}=y_3\left(b_2\oplus c_2\right)\oplus y_2\left(b_2\oplus c_2\oplus b_3\oplus c_3\right)\oplus y_1\left(b_0\oplus c_0\oplus b_1\oplus c_1\right)\\ \oplus y_0\left(b_1\oplus c_1\right)\\ {q^{\prime }}_0{}^{-1}=y_3\left(b_2\oplus c_2\oplus b_3\oplus c_3\right)\oplus y_2\left(b_3\oplus c_3\right)\oplus y_1\left(b_1\oplus c_1\right)\oplus y_0\left(b_0\oplus c_0\right)\end{array}$ (27)

To optimize the implementation of Equation (27) in the hardware circuit, we extract the common part of 8 sub-expressions of Equation (27) and define intermediate variable $d_i$ as shown in Equation (28). Then the expression can be optimized into Equation (29).

$\{\begin{array}{l}{d}_0=b_0\oplus b_1\\ d_1=b_0\oplus b_2\\ d_2=b_1\oplus b_3\\ d_3=b_2\oplus b_3\\ d_4=b_3\oplus c_3\\ d_5=b_2\oplus c_2\\ d_6=b_1\oplus c_1\\ d_7=b_0\oplus c_0\\ d_8=d_0\oplus d_3\\ d_9=d_4\oplus d_5\oplus d_6\oplus d_7\\ d_{10}=d_4\oplus d_6\\ d_{11}=d_4\oplus d_5\\ d_{12}=d_5\oplus d_7\\ d_{13}=d_6\oplus d_7\end{array}$ (28)

$\{\begin{array}{l}{q^{\prime }}_7{}^{-1}=y_3{d}_8\oplus y_2{d}_2\oplus y_1{d}_3\oplus y_0{b}_3\\ {q^{\prime }}_6{}^{-1}=y_3{d}_2\oplus y_2{d}_1\oplus y_1{b}_3\oplus y_0{b}_2\\ {q^{\prime }}_5{}^{-1}=y_3{b}_2\oplus y_2{d}_3\oplus y_1{d}_0\oplus y_0{b}_1\\ {q^{\prime }}_4{}^{-1}=y_3{d}_3\oplus y_2{b}_3\oplus y_1{b}_1\oplus y_0{b}_0\\ {q^{\prime }}_3{}^{-1}=y_3{d}_9\oplus y_2{d}_{10}\oplus y_1{d}_{11}\oplus y_0{d}_4\\ {q^{\prime }}_2{}^{-1}=y_3{d}_{10}\oplus y_2{d}_{12}\oplus y_1{d}_4\oplus y_0{d}_5\\ {q^{\prime }}_1{}^{-1}=y_3{d}_5\oplus y_2{d}_{11}\oplus y_1{d}_{13}\oplus y_0{d}_6\\ {q^{\prime }}_0{}^{-1}=y_3{d}_{11}\oplus y_2{d}_4\oplus y_1{d}_6\oplus y_0{d}_7\end{array}$ (29)

4.3. The Merged Module of Inverse Isomorphism and Affine Transformation

This module completes the operation $a=\left(A{\delta }^{-1}{q^{\prime }}^{-1}\right)\oplus 63\text{H}$ . For this module, we use two methods to optimize the logic to reduce the number of logic gates and shorten the critical path delay: 1) To merge the inverse isomorphic mapping and affine transformation into a matrix transformation. 2) To simplify the logic expression for XOR operation with 63H by using NOT gate to replace XOR.

Specifically, we let $B=A\times {\delta }^{-1}$ , ${q^{\prime }}^{-1}$ and q to be the input and output of the merged module of inverse isomorphism and affine transformation respectively. Then the expression of the original expression $a=\left(A{\delta }^{-1}{q^{\prime }}^{-1}\right)\oplus 63\text{H}$ can be reduced to Equation (30).

$a=B{q^{\prime }}^{-1}\oplus 63\text{H}$ (30)

where the inverse transformation matrix ${\delta }^{-1}$ , affine transformation matrix A and merged matrix B corresponds to Equations (31), (32) and (33) respectively.

${\delta }^{-1}=\left[\begin{array}{cccccccc}1& 1& 1& 0& 0& 0& 1& 0\\ 0& 1& 0& 0& 0& 1& 0& 0\\ 0& 1& 1& 0& 0& 0& 1& 0\\ 0& 1& 1& 1& 0& 1& 1& 0\\ 0& 0& 1& 1& 1& 1& 1& 0\\ 1& 0& 0& 1& 1& 1& 1& 0\\ 0& 0& 1& 1& 0& 0& 0& 0\\ 0& 1& 1& 1& 0& 1& 0& 1\end{array}\right]$ (31)

$A=\left[\begin{array}{cccccccc}1& 1& 1& 1& 1& 0& 0& 0\\ 0& 1& 1& 1& 1& 1& 0& 0\\ 0& 0& 1& 1& 1& 1& 1& 0\\ 0& 0& 0& 1& 1& 1& 1& 1\\ 1& 0& 0& 0& 1& 1& 1& 1\\ 1& 1& 0& 0& 0& 1& 1& 1\\ 1& 1& 1& 0& 0& 0& 1& 1\\ 1& 1& 1& 1& 0& 0& 0& 1\end{array}\right]$ (32)

$B=A{\delta }^{-1}=\left[\begin{array}{cccccccc}1& 0& 0& 0& 1& 1& 0& 0\\ 1& 1& 1& 1& 0& 0& 0& 0\\ 1& 0& 0& 0& 0& 1& 0& 0\\ 1& 0& 0& 1& 0& 0& 1& 1\\ 0& 0& 0& 0& 0& 1& 1& 1\\ 0& 1& 1& 1& 1& 1& 0& 1\\ 1& 0& 0& 0& 0& 0& 0& 1\\ 1& 1& 0& 0& 0& 1& 1& 1\end{array}\right]$ (33)

Then by combining the Equations (30) and (33), we can get the expression of output of S-box a as shown in Equation (34).

$\{\begin{array}{l}{a}_7={q^{\prime }}_7{}^{-1}\oplus {q^{\prime }}_3{}^{-1}\oplus {q^{\prime }}_2{}^{-1}\oplus 0\\ a_6={q^{\prime }}_7{}^{-1}\oplus {q^{\prime }}_6{}^{-1}\oplus {q^{\prime }}_5{}^{-1}\oplus {q^{\prime }}_4{}^{-1}\oplus 1\\ a_5={q^{\prime }}_7{}^{-1}\oplus {q^{\prime }}_2{}^{-1}\oplus 1\\ a_4={q^{\prime }}_7{}^{-1}\oplus {q^{\prime }}_4{}^{-1}\oplus {q^{\prime }}_1{}^{-1}\oplus {q^{\prime }}_0{}^{-1}\oplus 0\\ a_3={q^{\prime }}_2{}^{-1}\oplus {q^{\prime }}_1{}^{-1}\oplus {q^{\prime }}_0{}^{-1}\oplus 0\\ a_2={q^{\prime }}_6{}^{-1}\oplus {q^{\prime }}_5{}^{-1}\oplus {q^{\prime }}_4{}^{-1}\oplus {q^{\prime }}_3{}^{-1}\oplus {q^{\prime }}_2{}^{-1}\oplus {q^{\prime }}_0{}^{-1}\oplus 0\\ a_1={q^{\prime }}_7{}^{-1}\oplus {q^{\prime }}_0{}^{-1}\oplus 1\\ a_0={q^{\prime }}_7{}^{-1}\oplus {q^{\prime }}_6{}^{-1}\oplus {q^{\prime }}_2{}^{-1}\oplus {q^{\prime }}_1{}^{-1}\oplus {q^{\prime }}_0{}^{-1}\oplus 1\end{array}$ (34)

Observing the expression in Equation (34), we find that expressions of $a_6$ , $a_5$ , $a_1$ , $a_0$ includes constant term 1 and they are common term ${q^{\prime }}_7{}^{-1}$ . Thus we can use $\overline{{q^{\prime }}_7{}^{-1}}$ to substitute the ${q^{\prime }}_7{}^{-1}\oplus 1$ and convert Equation (34) into Equation (35), which simplify the expression and reduce the number of XOR gate.

$\{\begin{array}{l}{a}_7={q^{\prime }}_7{}^{-1}\oplus {q^{\prime }}_3{}^{-1}\oplus {q^{\prime }}_2{}^{-1}\\ a_6=\overline{{q^{\prime }}_7{}^{-1}}\oplus {q^{\prime }}_6{}^{-1}\oplus {q^{\prime }}_5{}^{-1}\oplus {q^{\prime }}_4{}^{-1}\\ a_5=\overline{{q^{\prime }}_7{}^{-1}}\oplus {q^{\prime }}_2{}^{-1}\\ a_4={q^{\prime }}_7{}^{-1}\oplus {q^{\prime }}_4{}^{-1}\oplus {q^{\prime }}_1{}^{-1}\oplus {q^{\prime }}_0{}^{-1}\\ a_3={q^{\prime }}_2{}^{-1}\oplus {q^{\prime }}_1{}^{-1}\oplus {q^{\prime }}_0{}^{-1}\\ a_2={q^{\prime }}_6{}^{-1}\oplus {q^{\prime }}_5{}^{-1}\oplus {q^{\prime }}_4{}^{-1}\oplus {q^{\prime }}_3{}^{-1}\oplus {q^{\prime }}_2{}^{-1}\oplus {q^{\prime }}_0{}^{-1}\\ a_1=\overline{{q^{\prime }}_7{}^{-1}}\oplus {q^{\prime }}_0{}^{-1}\\ a_0=\overline{{q^{\prime }}_7{}^{-1}}\oplus {q^{\prime }}_6{}^{-1}\oplus {q^{\prime }}_2{}^{-1}\oplus {q^{\prime }}_1{}^{-1}\oplus {q^{\prime }}_0{}^{-1}\end{array}$ (35)

4.4. Example

To test the correctness of the output of each segment, taking the input 11110000 as an example and referring to equations (5), (21), (26), (28), (29) and (35), we calculate and obtain the operation results of each segment in Figure 1 and the final S-box output as shown in Table 2. It is observed that the output of S-box of proposed S-box is consistent with the output of AES standard, which proves that the expression of each segment is correct.

5. Experiment Result and Performance Evaluation

In order to evaluate the hardware implementation performance of the proposed architecture, we modelled and simulated the proposed design using Verilog language and Modelsim respectively. Design Complier (DC) was employed to complete ASIC synthesis under TSMC 90nm CMOS Technology library.

Figure 4 shows the simulation results of two kinds of S-box. In Figure 4, s_box_1_out represents the output result of the standard AES S-box, and s_box is that of the S-box proposed in this paper. As shown in Figure 4, the output of the S-box in this paper is consistent with that of the standard S-box for different inputs, which proves that the scheme in this paper is correct.

Table 3 shows the DC synthesis results and the theoretical estimation results of Critical Path Delay (CPD). Note that the delay equivalent relationship between logic gates used to estimate CPD and equivalent CPD in Table 3 refers to the standard in [13] . The specific equivalent relationship is listed in Table 4. Note that, in Table 4, XOR stands for two-input XOR gate, AND two-input AND gate, AND3X1 three-input AND gate, OR two-input OR gate, MUX two-input multiplexer.

According to the DC synthesis results in Table 3, we first compared the synthesis results of our proposed S-box with [16] synthesized using the same TSMC 90 nm CMOS standard cell library.

The results indicate that the S-box implementation proposed in this paper only needs 1593.24 μm² area overhead. In comparison with the implementation of the pipeline architecture proposed in [16] , although the implementation in this paper reduces the frequency and throughput by approximately 13.54% and 13.55% respectively, the area overhead is reduced by about 42.47%, leading to an increase in hardware efficiency (throughput/area) by about 50.29%. Obviously, the scheme proposed in this paper offers significant advantages in terms of area overhead and hardware efficiency.

In addition, in terms of CPD, the S-box implementation proposed in this paper has a CPD of 15 XOR + 2 AND + 1 AND3X1 + 2 INV. The CPD is calculated based on Equations (5), (21), (26), (28), (29), (35) which is corresponding to five segments in Figure 1 in Section 3. Specifically, the CPD is 3 XOR for Equation (5), 4 XOR + 1 AND + 1 INV for Equation (21), and 3 XOR + 1 AND3X1 + 1 INV for Equation (26) and (28) (calculated in parallel). Then the CPD of Equation (29) and (35) are 2 XOR + 1 AND and 3 XOR, respectively. Comparatively, the CPD in [16] is 19 XOR + 3 AND + 1 OR + 2 MUX. After being converted equivalently according to the relationship shown in Table 4, the CPD of this paper is 51 NAND + 4 INV, whereas that of [16] is 65 NAND + 8 INV. It is evident that the CPD of the S-box proposed in this paper saves the delay of 14 NAND and 4 INV logic gates compared with [16] . Even ignoring the difference in the number of INV logic gates, the CPD of the S-box in this paper is about 21.54% higher than that in [16] , which is a relatively valuable improvement. However, it should be noted that the DC synthesis results in [16] show that its working clock frequency is higher than that in this paper. This is mainly because the synthesis results given in [16] are for the S-box of 5-level pipeline architecture in which its clock frequency is determined by the CPD of some sub-stage, but not entire S-box.

Secondly, we compared our proposed implementation with [14] and [20] which were synthesized using TSMC 65 nm and 40 nm CMOS standard cell library respectively. For the convenience of comparison with related data in [14] , we calculated that the frequency (frequency = 1/Time) and throughput (throughput = 8 bit/Time) in [14] are approximately 328.95 Mhz and 2.632 Gbps respectively based on the Time given in [14] and made a comparison with corresponding data in this paper. The comparison results show that the Time of the proposed implementation in this paper is reduced by approximately 68.42% compared to [14] , which indicates that the speed of S-box implementation proposed in this paper significantly surpasses that reported in [14] . Furthermore, despite the larger area of the S-box proposed in this paper compared to [14] , the S-box in this paper exhibits a lower area-time product (GE*Time) reduced by approximately 28.34%. It implied that our design achieves a superior balance between area and speed.

Reference [20] is the latest known paper focusing on S-box implementation. To facilitate comparison, we first calculated that the equivalent GE in [20] is 1223 two-input NAND Gates (the equivalent GE under TSMC40 nm technology library = area under TSMC40 nm/0.68 where 0.68 is the area of the two-input NAND in the TSMC 40 nm technology library). The comparison results show that the S-box implementation proposed in this paper can save GE and the product of GE and Time by approximately 53.80% and 44.56% respectively and improve 80.59% hardware efficiency compared to that in [20] .

Overall, the S-box implementation proposed in this paper has obvious advantages over the existing schemes in terms of area overhead, critical path delay and hardware efficiency. It can provide favorable support for implementing efficient and compact AES S-box ASIC design.

6. Conclusions and Future Work

Aiming at the shortcomings of low processing speed and computational complexity in multiplicative inversion over the finite field, this paper explores the optimization of AES S-box and proposes a segmented optimized S-box architecture by using the idea of calculating inverse elements in tower fields and combining with Karnaugh map simplification and IVB technique. This architecture was divided into three modules: an isomorphic mapping module, an inversion module in composite fields and a merged module of inverse isomorphism and affine transformation. In this way, we simplify the logic of the S-box implementation.

In the isomorphic mapping module, based on the concept of composite fields, we map elements in the finite field to the composite field, thus reducing the complexity of calculations. In the inversion module in composite fields, we use the recursive method to optimize the inversion part. The experimental results indicate that compared with the traditional algebraic method, our design effectively reduces the computational complexity and area overhead. In the merged module of inverse isomorphism and affine transformation, we combine the matrix of inverse isomorphic mapping and affine transformation into one to further simplify the logic expression of the S-box.

In conclusion, the segmented optimized S-box architecture proposed in this paper has the characteristics of small area, low critical path delay and high hardware efficiency which is very valuable for area-limited applications.

While we have made some progress in the implementation of S-boxes, we only consider the forward AES S-box in this paper because many operations in the block encryption algorithm only involve encryption. The inverse S-box and the forward S-box have many similar parts, so how to design the low-area inverse S-box and how to combine the S-box and the inverse S-box is the work we need to study in the future. At the same time, although the AES encryption algorithm has higher security performance, the security of AES hardware implementation is seriously threatened by the development of hardware attack technology. Therefore, to improve the security of the AES encryption algorithm, adding fault detection on the basis of the proposed S-box architecture is also our future work.

Conflicts of Interest

The authors declare no conflicts of interest regarding the publication of this paper.

References

[1]	Xu, Y.T., Lyu, Z.G., Huang, Y.G. and Li, X.Y. (2020) Optimization and Implementation of AES Algorithm Based on STM32 MCU. Process Automation Instrumentation, 41, 56-60. https://chn.oversea.cnki.net/KCMS/detail/detail.aspx?dbcode=CJFD&dbname=CJFDLAST2020&filename=ZDYB202007013&uniplatform=OVERSEA&v=FBrazSYzB-bBRjeM4cilrp85xrbI9lm56klGQJewY_FfxAjpFv1g49uZwQfYYS3u
[2]	Manjith, B.C. (2019) Improving Overall Parallelism in AES Accelerator Using BRAM and Multiple Input Blocks. 2019 Innovations in Power and Advanced Computing Technologies (i-PACT), Vellore, 22-23 March 2019, 1-5. https://doi.org/10.1109/i-PACT44901.2019.8960016
[3]	Arul Murugan, C., Karthigaikumar, P. and Priya, S.S. (2020) FPGA Implementation of Hardware Architecture with AES Encryptor Using Sub-Pipelined S-Box Techniques for Compact Applications. Automatika, 61, 682-693. https://doi.org/10.1080/00051144.2020.1816388
[4]	Rachh, R.R. and Ananda Mohan, P.V. (2008) Implementation of AES S-Boxes Using Combinational Logic. 2008 IEEE International Symposium on Circuits and Systems (ISCAS), Seattle, 18-21 May 2008, 3294-3297. https://doi.org/10.1109/ISCAS.2008.4542162
[5]	Ahmad, N., Rezaul Hasanand, R. and Jubadi, W.M. (2010) Design of AES S-Box Using Combinational Logic Optimization. 2010 IEEE Symposium on Industrial Electronics & Applications (ISIEA), Penang, 3-5 October 2010, 696-699. https://doi.org/10.1109/ISIEA.2010.5679375
[6]	Wang, Q., Liang, J. and Qi, Y. (2010) The Area Optimized Implementation of S-box in AES Algorithm. Chinese Journal of Electronics, 38, 939-942. https://kns.cnki.net/kcms2/article/abstract?v=smPsKIJgVaAXklosraIEqnytl0tPMLltpr9WZoEcUceHoSuINcBb4nLePRzxH-SSJdJ5qxypin17TJWVPQy99V8N47WNPrJaAIT7SexfzEdyNjgiXFuNLuhitAQEjLJSuxZ3wNLE8p8=&uniplatform=NZKPT&language=CHS
[7]	Qin, X.C. and Li, S.G. (2014) An Expression Method to Implement S-Box and Inverse S-Box Substitution for AES Algorithm. Microelectronics & Computer, 31, 112-115. https://kns.cnki.net/kcms2/article/abstract?v=smPsKIJgVaAXklosraIEqnytl0tPMLltpr9WZoEcUceHoSuINcBb4nLePRzxH-SSJdJ5qxypin17TJWVPQy99V8N47WNPrJaAIT7SexfzEdyNjgiXFuNLuhitAQEjLJSuxZ3wNLE8p8=&uniplatform=NZKPT&language=CHS
[8]	Satoh, A., Morioka, S., Takano, K. and Munetoh, S. (2001) A Compact Rijndael Hardware Architecture with S-Box Optimization. In: Boyd, C., Ed., ASIACRYPT 2001: Advances in Cryptology—ASIACRYPT 2001, Springer, Berlin, 239-254. https://doi.org/10.1007/3-540-45682-1_15
[9]	Canright, D. (2005) A Very Compact S-Box for AES. In: Rao, J.R. and Sunar, B., Eds., CHES 2005: Cryptographic Hardware and Embedded Systems—CHES 2005, Springer, Berlin, 441-455. https://doi.org/10.1007/11545262_32
[10]	Reyhani-Masoleh, A., Taha, M. and Ashmawy, D. (2018) Smashing the Implementation Records of AES S-Box. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018, 298-336. https://doi.org/10.46586/tches.v2018.i2.298-336
[11]	Ashmawy, D. and Reyhani-Masoleh, A. (2021) A Faster Hardware Implementation of the AES S-Box. 2021 IEEE 28th Symposium on Computer Arithmetic (ARITH), Lyngby, 14-16 June 2021, 123-130. https://doi.org/10.1109/ARITH51176.2021.00034
[12]	Qin, P.Y., Zhou, F., Wu, N. and Xian, F.C. (2021) A Compact Implementation of AES S-Box Based on Dual Basis. 2021 IEEE 4th International Conference on Electronics Technology (ICET), Chengdu, 7-10 May 2021, 118-122. https://doi.org/10.1109/ICET51757.2021.9451103
[13]	Li, Y.J., Zhang, W.G., Ge, Y.D., Huang, Y.T. and Huo, S.S. (2023) Optimized Realization of AES-Like Algorithm S-Box. Journal of Cryptologic Research, 10, 531-538. https://chn.oversea.cnki.net/KCMS/detail/detail.aspx?dbcode=CJFD&dbname=CJFDLAST2023&filename=MMXB202303007&uniplatform=OVERSEA&v=3krAWpsgW0pQFgxPqPGHNXUu9KOVM3LR-yRj4uPmzaytoGewPl1MMY0QmJe5iVlK
[14]	Ueno, R., Homma, N., Nogami, Y. and Aoki, T. (2018) Highly Efficient GF(28) Inversion Circuit Based on Hybrid GF Representations. Journal of Cryptographic Engineering, 9, 101-113. https://doi.org/10.1007/s13389-018-0187-8
[15]	Reyhani-Masoleh, A., Taha, M. and Ashmawy, D. (2020) New Low-Area Designs for the AES Forward, Inverse and Combined S-Boxes. IEEE Transactions on Computers, 69, 1757-1773. https://doi.org/10.1109/TC.2019.2922601
[16]	Teng, Y.T., Chin, W.L., Chang, D.K., Chen, P.Y. and Chen, P.W. (2022) VLSI Architecture of S-Box with High Area Efficiency Based on Composite Field Arithmetic. IEEE Access, 10, 2721-2728. https://doi.org/10.1109/ACCESS.2021.3139040
[17]	Zhong, X.L. and Wu, X.C. (2023) Improved Scheme for AES S-Box and Its Hardware Design. Application Research of Computers, 40, 3784-3788. https://chn.oversea.cnki.net/KCMS/detail/detail.aspx?dbcode=CJFD&dbname=CJFDLAST2024&filename=JSYJ202312041&uniplatform=OVERSEA&v=6V31X-ZMm4dw3aUv6LWSfloYqa4O0wQBBQfFsOG5q8ozVts-sEJtUdkPlBfClBfe
[18]	Shen, X.C. and Han, M. (2018) Improved S-box Based on Strict Avalanche Distance Criterion. Microelectronics & Computer, 35, 92-96. https://chn.oversea.cnki.net/KCMS/detail/detail.aspx?dbcode=CJFD&dbname=CJFDLAST2018&filename=WXYJ201806020&uniplatform=OVERSEA&v=y8jwcNYZOk4NEvpQNzq689lZkTI8P8tEKPKjl4d94PoJ4RAsb8iS50lWFfAulS1X
[19]	Nakashima, A., Ueno, R. and Homma, N. (2022) AES S-Box Hardware with Efficiency Improvement Based on Linear Mapping Optimization. IEEE Transactions on Circuits and Systems II: Express Briefs, 69, 3978-3982. https://doi.org/10.1109/TCSII.2022.3185632
[20]	Lin, S.H., Lee, J.Y., Chuang, C.C., Lee, N.Y., Chen, P.Y. and Chin, W.L. (2023) Hardware Implementation of High-Throughput S-Box in AES for Information Security. IEEE Access, 11, 59049-59058. https://doi.org/10.1109/ACCESS.2023.3284142
[21]	Maity, H., Kundu, P., Bhowmik, A. and Barik, A.K. (2023) Input Variable Bypass or IVB Technique for Logic Functions Simplification. 2023 IEEE Devices for Integrated Circuit (DevIC), Kalyani, 7-8 April 2023, 1-4. https://doi.org/10.1109/DevIC57758.2023.10135020
[22]	Mui, E.N., Custom, R. and Engineer, D. (2007) Practical Implementation of Rijndael S-Box Using Combinational Logic. Custom R&D Engineer Texco Enterprise Pvt. Ltd. http://www.geocities.ws/dariuskrail20/Practical_Implementation_of_Rijndael_S-Box_Using_Combinational_Logic.pdf