Composite Field GF(((2²)²)²) AES S-box with Algebraic Normal Form Representation in the Subfield Inversion

This page supplements our research output presented in M. M. Wong et. al. "Composite Field GF(((2²)²)²) AES S-box with Algebraic Normal Form Representation in the Subfield Inversion", IET CDS, 2011. We exploit the Algebraic Normal Form (ANF) representation in the subfield inversion over GF((2²)²) to improve both area reduction and performance improvementation in composite field GF(((2²)²)²) AES S-box. This is done by converting the GF((2²)²) inversion into several logical expressions, without violating the functionality of the circuit's algorithm. The conversion is performed through individual deduction of each of the bit's inversion in the field element. For instance, taking an element of GF(2⁴) as a = {a₃ , a₂, a₁, a₀} , hence its inversion a^-1 = {a₃^-1 a₂^-1 , a₁^-1 , a₀^-1 }.

Basically, We can classify the GF(((2²)²)²) AES S-box into four general architectures:

where
Case I: Using polynomial basis representation with field polynomials' traces equal to unity
Case II: Using polynomial basis representation with field polynomials' norms equal to unity
Case III: Using normal basis representation with field polynomials' traces equal to unity
Case IV: Using normal basis representation with field polynomials' norms equal to unity

While there are two possible values (W and W²) for the trace or the norm of the irreducible polynomial over GF(2⁴) (and setting one of them equal unity), two detailed implementations for each of the four architectures are offered. Hence, a total of eight different ANF GF((2²)²) inversions are derived and listed here below.

Through sub-structure sharing optimization, the total gate count and the respective critical path for each circuitry is tabulated in this table below.