Paper 2018/1074

Yet Another Size Record for AES: A First-Order SCA Secure AES S-box Based on GF($2^8$) Multiplication

Felix Wegener and Amir Moradi


It is well known that Canright’s tower field construction leads to a very small, unprotected AES S-box circuit by recursively embedding Galois Field operations into smaller fields. The current size record for the AES S-box by Boyar, Matthews and Peralta improves the original design with optimal subcomponents, while maintaining the overall tower-field structure. Similarly, all small state-of-the-art first-order SCA-secure AES S-box constructions are based on a tower field structure. We demonstrate that a smaller first-order secure AES S-box is achievable by representing the field inversion as a multiplication chain of length 4. Based on this representation, we showcase a very compact S-box circuit with only one GF($2^8$)-multiplier instance. Thereby, we introduce a new high-level representation of the AES S-box and set a new record for the smallest first-order secure implementation

Available format(s)
Publication info
Published elsewhere. MINOR revision.CARDIS 2018
side-channel analysisThreshold ImplementationAESDomain-oriented Masking
Contact author(s)
felix wegener @ rub de
2018-11-09: received
Short URL
Creative Commons Attribution


      author = {Felix Wegener and Amir Moradi},
      title = {Yet Another Size Record for AES: A First-Order SCA Secure AES S-box Based on GF($2^8$) Multiplication},
      howpublished = {Cryptology ePrint Archive, Paper 2018/1074},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.