Fast implementation of GF(28) inversion with applications to the AES S-box using ARM Helium MVE extensions
Abstract
The AES block cipher is widely used in embedded systems. Efficient realizations of its S-box, which consists of a costly inversion in GF(28) and an affine transformation, are usually done with lookup tables, which may be vulnerable to timing side-channel attacks. We develop a constant-time inversion algorithm in GF(28) optimized with Arm Helium MVE extensions and a fully vectorized suite of field-arithmetic primitives, from which we derive three Cortex-M S-box implementations: two table-free exponentiation schedules requiring only three field multiplications, and a third variant employing a compact, vectorized 16-byte lookup table. We integrate these methods into a constant-time AES-128 implementation on a Cortex-M85, demonstrating that our proposal is competitive with state-of-the-art implementations.
References
Adomnicai, A. and Peyrin, T. (2020). Fixslicing AES-like ciphers: New bitsliced AES speed records on ARM-cortex m and RISC-v. Cryptology ePrint Archive, Paper 2020/1123.
Aguilar, C., Blazy, O., Deneuville, J.-C., Gaborit, P., and Zémor, G. (2016). Efficient encryption from random quasi-cyclic codes. arXiv preprint arXiv:1612.05572.
Arm Ltd. (2023). Armv8-M architecture reference manual mainline and helium extension. Technical Report DDI0553B, Revision B, Arm Ltd., Cambridge, UK. Accessed: 2025-08-02.
Babu, T. R., Murthy, K. V. V. S., and Sunil, G. (2011). Implementation of AES algorithm on ARM. In Proceedings of the International Conference & Workshop on Emerging Trends in Technology, ICWET ’11, page 1211–1213, New York, NY, USA. Association for Computing Machinery.
Dimitrov, V. and Järvinen, K. (2013). Another look at inversions over binary fields. In 2013 IEEE 21st Symposium on Computer Arithmetic, pages 211–218.
Fan, H. (2020). A trace based GF (2n) inversion algorithm. Cryptology ePrint Archive, Paper 2020/482.
Free Software Foundation (2025). An Inline Function is As Fast As a Macro. GNU Compiler Collection (GCC). Section “Inline” (An Inline Function is As Fast As a Macro), accessed on 03 August 2025.
Fujii, H., Rodrigues, F. C., and López, J. (2019). Fast AES implementation using ARMv8 ASIMD without cryptography extension. In International Conference on Information Security and Cryptology, pages 84–101. Springer.
Gentry, C., Halevi, S., and Smart, N. P. (2012). Homomorphic evaluation of the AES circuit. Cryptology ePrint Archive, Paper 2012/099.
Itoh, T. and Tsujii, S. (1988). A fast algorithm for computing multiplicative inverses in gf(2m) using normal bases. Inf. Comput., 78(3):171–177.
Kim, H. and Seo, H. (2025). Optimizing AES-GCM on ARM Cortex-M4: A fixslicing and FACE-based approach. Cryptology ePrint Archive, Paper 2025/512.
Marsh, J. (2020). Arm Helium Technology M-Profile Vector Extension (MVE) for Arm Cortex-M Processors Reference Book. Arm Education Media.
Morita, H., Pohle, E., Sadakane, K., Scholl, P., Tozawa, K., and Tschudi, D. (2024). MAESTRO: Multi-party AES using lookup tables. Cryptology ePrint Archive, Paper 2024/1317.
National Institute of Standards and Technology (2001). Advanced Encryption Standard. NIST FIPS PUB 197.
Rivain, M. and Prouff, E. (2010). Provably secure higher-order masking of AES. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 413–427. Springer.
Schwabe, P. and Stoffelen, K. (2017). All the AES You Need on Cortex-M3 and M4. In Avanzi, R. and Heys, H., editors, Selected Areas in Cryptography – SAC 2016, pages 180–194, Cham. Springer International Publishing.
Aguilar, C., Blazy, O., Deneuville, J.-C., Gaborit, P., and Zémor, G. (2016). Efficient encryption from random quasi-cyclic codes. arXiv preprint arXiv:1612.05572.
Arm Ltd. (2023). Armv8-M architecture reference manual mainline and helium extension. Technical Report DDI0553B, Revision B, Arm Ltd., Cambridge, UK. Accessed: 2025-08-02.
Babu, T. R., Murthy, K. V. V. S., and Sunil, G. (2011). Implementation of AES algorithm on ARM. In Proceedings of the International Conference & Workshop on Emerging Trends in Technology, ICWET ’11, page 1211–1213, New York, NY, USA. Association for Computing Machinery.
Dimitrov, V. and Järvinen, K. (2013). Another look at inversions over binary fields. In 2013 IEEE 21st Symposium on Computer Arithmetic, pages 211–218.
Fan, H. (2020). A trace based GF (2n) inversion algorithm. Cryptology ePrint Archive, Paper 2020/482.
Free Software Foundation (2025). An Inline Function is As Fast As a Macro. GNU Compiler Collection (GCC). Section “Inline” (An Inline Function is As Fast As a Macro), accessed on 03 August 2025.
Fujii, H., Rodrigues, F. C., and López, J. (2019). Fast AES implementation using ARMv8 ASIMD without cryptography extension. In International Conference on Information Security and Cryptology, pages 84–101. Springer.
Gentry, C., Halevi, S., and Smart, N. P. (2012). Homomorphic evaluation of the AES circuit. Cryptology ePrint Archive, Paper 2012/099.
Itoh, T. and Tsujii, S. (1988). A fast algorithm for computing multiplicative inverses in gf(2m) using normal bases. Inf. Comput., 78(3):171–177.
Kim, H. and Seo, H. (2025). Optimizing AES-GCM on ARM Cortex-M4: A fixslicing and FACE-based approach. Cryptology ePrint Archive, Paper 2025/512.
Marsh, J. (2020). Arm Helium Technology M-Profile Vector Extension (MVE) for Arm Cortex-M Processors Reference Book. Arm Education Media.
Morita, H., Pohle, E., Sadakane, K., Scholl, P., Tozawa, K., and Tschudi, D. (2024). MAESTRO: Multi-party AES using lookup tables. Cryptology ePrint Archive, Paper 2024/1317.
National Institute of Standards and Technology (2001). Advanced Encryption Standard. NIST FIPS PUB 197.
Rivain, M. and Prouff, E. (2010). Provably secure higher-order masking of AES. In International Workshop on Cryptographic Hardware and Embedded Systems, pages 413–427. Springer.
Schwabe, P. and Stoffelen, K. (2017). All the AES You Need on Cortex-M3 and M4. In Avanzi, R. and Heys, H., editors, Selected Areas in Cryptography – SAC 2016, pages 180–194, Cham. Springer International Publishing.
Published
2025-09-01
How to Cite
OLIVEIRA, Eric Azevedo de; GAZZONI FILHO, Décio Luiz; RODRIGUES, Felix Carvalho; LÓPEZ, Julio.
Fast implementation of GF(28) inversion with applications to the AES S-box using ARM Helium MVE extensions. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 1051-1058.
DOI: https://doi.org/10.5753/sbseg.2025.10439.
