SubBytes Transformation

The SubBytes can be implemented in two types: combinational look up table (LUT) based and composite field based. The LUT based method is usually adopted in high throughput architectures because the SubBytes transformation is implemented in logic level and the critical path can be optimized by truth table or Karnaugh-Map. The composite filed method uses arithmetics in finite field to optimize the SubBytes in terms of hardware complexity.

A finite field arithmetic unit is used for SubBytes to reduce required hardware resources.

Therefore, the composite field based method is usually adopted for low cost architectures. In this subsection, previous works on the composite field based SubBytes are illustrated.

As mentioned earlier, the SubBytes can be decomposed into multiplicative inversion followed by affine transformation. The multiplicative inversion in GF (2⁸) can be com-puted by extended Euclidean algorithm. However, the calculation of inverse in GF (2⁸) is quite complicated while the calculation of inverse in GF (2²) is relative easy, as sug-gested by Rijmen [57]. Therefore, field elements can be transformed to composite field GF((2⁴)²)[22,31–33,38,53] or GF (((2²)²)²)[20,54] to reduce the hardware complexity.

An element G in GF (2⁸) can be represented over GF (2⁴) as G = γ1y + γ0 with ir-reducible polynomial r(y) = y² + τ y + ν. Note that coefficients γ1 and γ0 are both 4-bit elements in subfield GF (2⁴). In this way, the pair [γ¹, γ0] can be used to present the element Gin field GF ((2⁴)²). The element can be represented using the polynomial basis [Y, 1] or using the normal basis [Y¹⁶, Y], where Y¹⁶ and Y are roots of r(y). Note that in normal

basis, Y¹⁶and Y are both roots of r(y). As a result,

r(y) = y²+ τ y + ν = (y + Y )(y + Y¹⁶), (3.1)

which means τ = (Y + Y¹⁶)is the trace and ν = (Y )(Y¹⁶)is the norm of Y.

Similarly, coefficients in GF (2⁴) can be represented over GF (2²) as Γ1z + Γ0 with irreducible polynomial r(z) = z² + T z + N, where Γ1 and Γ0 are both in subfield GF (2²).

Again, the element can be represented using the polynomial basis [Z, 1] or using the normal basis [Z⁴, Z]. Note that T = Z + Z⁴ is the trace and N = (Z)(Z⁴)is the norm of Z if they are represented in normal basis.

At last, the element in GF (2²) can be also represented over GF (2) as g¹w+ g0 with irreducible polynomial r(w) = w² + w + 1, where g¹ and g⁰ are both in GF (2), or single bits. The polynomial basis [W, 1] and the normal basis [W², W] can be used to represent the pair [g1, g0]. The above decomposition can simplify the operation in GF (2⁸)to GF (2⁴), which in turn can be simplified further over GF (2²)and GF (2).

Polynomial Basis

The multiplication in GF (2⁸)can be mapped to GF ((2⁴)²)modulo r(y) as

(γ1y+ γ0)(δ1y+ δ0) = (γ1δ0+ γ0δ1+ γ1δ1τ)y + (γ0δ0+ γ1δ1ν). (3.2)

Thus, the multiplicative inverse can be computed by making the right hand side of equation 3.2 equal to 1. In this way, δ1y+δ0is the multiplicative inverse of γ1y+γ0. The multiplicative inverse can be found by solving following equations:

γ1δ0+ γ0δ1+ γ1δ1τ = 0 γ0δ0+ γ1δ1ν= 1.

(3.3)

(a)

(b)

Figure 3.1: Polynomial basis inverter (a) Over GF (2⁸). (b) Over GF (2⁴).

The multiplicative inverse is then given by

(γ1y+ γ0)⁻¹ = (δ1y+ δ0) = [θ⁻¹γ1]y + [θ⁻¹(γ0+ γ1τ)] (3.4)

where θ = γ1²ν+ γ1γ0τ + γ0².

The multiplicative inverse in GF (2⁸)is then decomposed into a series of multiplications, additions, and a multiplicative inverse in GF (2⁴). The equation 3.2 and 3.4 then can be modified to decompose the operation in GF (2⁴)into GF (2²). Once the operation is reduced over GF (2²), the inverse operation is identical to the square operation because for Γ ∈ GF(2²), Γ⁴ = Γ, and therefore Γ² = Γ⁻¹.

Fig. 3.1(a) shows the multiplicative inverter over the polynomial basis in GF ((2⁴)²). The inverter in field GF (2⁴)can be implemented by a series of multiplication such that x⁻¹ = x¹⁴, by combinational LUT with 16 entries, or by further decomposition of the inverter over GF(2²). Fig. 3.1(b) shows different implementations of the inverter in GF (2⁴).

Normal Basis

The operation in normal basis [Y¹⁶, Y], where Y¹⁶and Y are roots of r(y) = y² + τ y + ν, uses properties τ = Y¹⁶+ Y, ν = (Y¹⁶)(Y ), and 1 = τ⁻¹(Y¹⁶+ Y ). The multiplication in GF(2⁸)then can be decomposed into GF ((2⁴)²)modulo r(y) as:

(γ1Y¹⁶+ γ0Y)(δ1Y¹⁶+ δ0Y) = γ1δ1Y³²+ (γ1δ0+ γ0δ1)Y¹⁷+ γ0δ0Y²

= γ1δ1(τ Y¹⁶+ ν) + (γ1δ0+ γ0δ1)ν + γ0δ0(τ Y + ν)

= γ1δ1τ Y¹⁶+ γ0δ0τ Y + (γ1+ γ0)(δ1+ δ0)ντ⁻¹(Y¹⁶+ Y )

= (γ1δ1τ + θ)Y¹⁶+ (γ0δ0τ + θ)Y

(3.5) where θ = (γ¹ + γ0)(δ1 + δ0)ντ⁻¹. Again, the multiplicative inverse can be calculated by making (γ1Y¹⁶+ γ0Y)(δ)1Y¹⁶+ δ0Y) = 1 = τ⁻¹Y¹⁶+ τ⁻¹Y. Then the inverse can be found by solving following equations:

[γ1δ1τ+ (γ1+ γ0)(δ1+ δ0)ντ⁻¹] = τ⁻¹ [γ0δ0τ+ (γ1+ γ0)(δ1+ δ0)ντ⁻¹] = τ⁻¹

(3.6)

The multiplicative inverse in normal basis is then given by

(γ1Y¹⁶+ γ0Y)⁻¹ = (δ1Y¹⁶+ δ0Y) = [θ⁰⁻¹γ0]Y¹⁶+ [θ⁰⁻¹γ1]Y, (3.7)

where θ⁰ = γ1γ0τ²+ (γ1²+ γ0²)ν.

The multiplicative inverse in GF (2⁸)can be decomposed into a series of multiplications, additions, and a inverse in GF (2⁴). Fig. 3.2 shows the inverter in GF (2⁸) with normal basis. The inverter consists of three multipliers, two adders, one inverter, and one squarer multiplied by constant ν. The multiplication in GF (2⁴)is analogous to that in GF (2⁸)as

(Γ1Z⁴+ Γ0Z)(∆1Z⁴+ ∆0Z) = (Γ1∆1T + Θ)Z⁴+ (Γ0∆0T + Θ)Z (3.8)

Figure 3.2: Normal basis inverter in GF (2⁸).

Figure 3.3: Normal basis multiplier in GF (2⁴).

where Θ = (Γ1+ Γ0)(∆1 + ∆0)N T⁻¹. The architecture of multiplier in GF (2⁴)is shown in Fig. 3.3. Note that multiplications and additions are performed over GF (2²). The mul-tiplication in GF (2²)has the same structure, except that it lacks of scaling by norm, and in GF(2)the multiplication is identical to AND operation.

In addition to multipliers and adders, another operation needed in GF (2⁴) is the com-bined operation of squaring followed by scaling ν as shown in Fig. 3.2. The comcom-bined operation can be represented as:

(Γ1Z⁴+ Γ0Z)²× ν = [(Γ1+ Γ0)²]Z⁴+ [(N × Γ0)²]Z. (3.9)

The operation in GF (2⁴) now can be performed with addition, multiplication, and squar-ing in GF (2²). Note that in GF (2²) the inversion is the same as the squaring and can be

represented as:

(g1W²+ g0W)⁻¹= (g1W²+ g0W)² = g1²W⁴+ g0²W²

= g1²(W²+ 1) + g0²W2

= g1²W²+ g1²(W²+ W ) + g²0W²

= g0²W²+ g1²W

= g0W²+ g1W,

(3.10)

indicating that the squaring or inversion in GF (2²)is free by swapping the bit positions.

The remaining operation needed in GF (2⁴)multiplier is multiplication in GF (2²) and then scaling by N = W². The combined operation can be represented as:

(g1W²+ g0W)(d1W²+ d0W) × N = g1d1W⁶+ (g1d0+ g0d1)W⁵+ g0d0W⁴

= g1d1+ (g1d0+ g0d1)W²+ g0d0W

= g1d1(W²+ W ) + (g1d0+ g0d1)W²+ g0d0W

= (g1d1+ g1d0+ g0d1)W²+ (g1d1+ g0d0)W

= [g0d0+ (g1+ g0)(d1+ d0)]W²+ (g1d1+ g0d0)W (3.11)

Inv-/SubBytes Sharing

For SubBytes and Inv-SubBytes transformations, the multiplicative inversion can be shared to reduce hardware resources. Fig. 3.4 shows the data flow of forward SubBytes transforma-tion. The input byte is applied to a field transformation matrix δ first and then the element is applied to the multiplicative inversion over composite field GF ((2⁴)²)or GF (((2²)²)²).

Then the field element is mapped back to GF (2⁸)by the inverse of field transformation ma-trix δ⁻¹. At last, the element is applied to the affine transformation to finish the SubBytes transformation. Note that the inverse filed transformation matrix and the affine transforma-tion can be combined to reduce the number of matrix operatransforma-tion. Fig. 3.4 also shows the flow

Figure 3.4: Inv-/SubBytes sharing structure.

of the Inv-SubBytes transformation. The input data byte is first applied to a inverse affine transformation and then the element is mapped in to composite field by δ. The final result can be obtained by applying the inverse field transformation to the multiplicative inverse.

Note that the inverse affine transformation and the field transformation matrix can also be combined to reduce the number of matrix operation. With this structure, the multiplicative inversion can be shared in both encryption and decryption process.

The result from [54] shows that total 180 and 182 gates are required for the SubBytes and Inv-SubBytes, respectively. The total number of gates for both encryption and decryption would be 362 gates. By the hardware sharing of the multiplicative inverse unit, the combined SubBytes/Inv-SubBytes only requires 234 gates.