Affine-Power S-Boxes over Galois Fields with Area-Optimized Logic Implementations by Wood, Christopher et al.
Rochester Institute of Technology
RIT Scholar Works
Presentations and other scholarship Faculty & Staff Scholarship
9-30-2015




Rochester Institute of Technology
Stanislaw Radziszowski
Follow this and additional works at: https://scholarworks.rit.edu/other
This Conference Paper is brought to you for free and open access by the Faculty & Staff Scholarship at RIT Scholar Works. It has been accepted for
inclusion in Presentations and other scholarship by an authorized administrator of RIT Scholar Works. For more information, please contact
ritscholarworks@rit.edu.
Recommended Citation
Wood, Christopher; Lukowiak, Marcin; and Radziszowski, Stanislaw, "Affine-Power S-Boxes over Galois Fields with Area-Optimized
Logic Implementations" (2015). Accessed from
https://scholarworks.rit.edu/other/836
Affine-Power S-Boxes over Galois Fields with
Area-Optimized Logic Implementations
Christopher A. Wood12, Stanis law P. Radziszowski2, Marcin Lukowiak3
1 Department of Computer Science, UC Irvine
2 Department of Computer Science, Rochester Institute of Technology
3 Department of Computer Engineering, Rochester Institute of Technology
Abstract. Cryptographic S-boxes are fundamental in key-iterated sub-
stitution permutation network (SPN) designs for block ciphers. As a
natural way for realizing Shannon’s confusion and diffusion properties
in cryptographic primitives through nonlinear and linear behavior, re-
spectively, SPN designs served as the basis for the Advanced Encryption
Standard and a variety of other block ciphers. In this work we present a
methodology for minimizing the logic resources for n-bit affine-power S-
boxes over Galois fields based on measurable security properties and find-
ing corresponding area-efficient combinational implementations in hard-
ware. Motivated by the potential need for new and larger S-boxes, we
use our methodology to find area-optimized circuits for 8- and 16-bit
S-boxes. Our methodology is capable of finding good upper bounds on
the number of XOR and AND gate equivalents needed for these circuits,
which can be further optimized using modern CAD tools.
Keywords: S-box design and construction, 16-bit S-boxes, composite
Galois fields, S-box combinational circuits
1 Introduction
In order to enable area-efficient hardware implementations of block ci-
phers based on the key-iterated substitution permutation network (SPN)
design principle, such as the Advanced Encryption Standard (AES) [13],
the logic resources for each component or operation in the algorithm must
be reduced as much as feasible. Traditionally, research efforts to minimize
such resources have focused on the S-box - the only nonlinear operation in
the algorithm. Minimizing the area required for the AES S-box has been
the subject of intense research because combinational implementations of
this component often consume a majority of the total logic needed for the
algorithm. In addition, with the prevalence of side-channel attacks such
as DPA and CPA [22, 4], combinational designs are necessary for secure
implementations that cannot be easily exploited by these attacks.
To aid the implementation of future cryptographic primitives that
rely on S-boxes, we present a comprehensive methodology for construct-
ing and implementing cryptographically significant S-boxes with the goal
of low-area combinational logic defined in terms of the number of XOR
and AND gate requirements. An affine-power S-box S(x) is a composite
function S(x) = A(P (x)) consisting of a highly nonlinear power mapping
P over a binary Galois field and an affine transformation A. In devel-
oping our methodology we build upon the exhaustive mixed basis ap-
proach of Canright [6] and combinational logic minimization techniques
of Boyar and Peralta [2] used for the AES S-box. Our methodology is
composed of three steps: finding suitable affine-power S-box construc-
tions, programmatically and exhaustively searching for implementation
parameters (i.e. subfield decompositions and basis representations) that
permit area-optimized circuits, and then efficiently mapping them into
technology dependent resources using modern CAD tools.
We applied our methodology to find area-optimized 8- and 16-bit
S-boxes over binary Galois fields. Using the affine-inverse construction
leveraged by the AES S-box, we exhaustively searched for area-optimized
S-boxes over GF (28) defined by all 30 irreducible polynomials over GF (2)
of degree 8. Our search produced an 8-bit S-box with 103 XOR and 36
AND gates using the field polynomial t(v) = v8 +v6 +v5 +v4 +v2 +v+1,
surpassing Canright’s optimized S-box circuit for the AES, which uses
a different field polynomial, by a single XOR gate prior to further logic
optimization techniques. We also found new implementation parameters
for the AES S-box that yield a reduction in a single XOR gate prior to the
application of Boyar and Peralta’s logic optimization techniques. In addi-
tion, for the 21 smallest irreducible polynomials of degree 16 over GF (2),
we found several 16-bit S-box constructions that have small area foot-
prints. For example, we found a set of implementation parameters that
permit an area-optimized circuit composed of 1238 XOR and 144 AND
gates. Even smaller gate counts were achieved for other polynomials.
2 Related Work
S-boxes in key-iterated SPN algorithms are often constructed as an affine
transformation composed of an inverse power mapping over some Ga-
lois field, as is the case for the AES. This particular power mapping has
many desired cryptographic properties that, in practice, effectively ren-
der many known cryptanalysis attacks ineffective. Consequently, much
2
of the research on low-area implementations for the affine-power S-boxes
has focused on minimizing the combinational logic required for the mul-
tiplicative inverse calculation over binary Galois fields.
Out of all known methods to compute the multiplicative inverse in
GF (2n), the use of subfield decomposition has been the most effective
and accepted technique for implementing low-area circuits. Using com-
posite field arithmetic, the inverse can be computed using the Itoh-Tsujii
inversion algorithm [17] or by direct decomposition to bitwise operations
over GF (2) [30]. Under the assumption that the elements in a particular
field are represented using a normal basis, the number of multiplications
required in the Itoh-Tsujii inversion algorithm still yields complex com-
binational logic for small fields. In comparison, direct decomposition to
GF (2) has yielded significantly smaller circuits [33, 34, 24, 6, 26, 27, 3, 2].
To date, the smallest AES S-box using composite field arithmetic and
other combinational logic minimization techniques is due to Boyar and
Peralta, who found an implementation that required only 83 XOR/XNOR
and 32 AND gates [2]. This fell below the previous area record of 104 XOR
and 36 AND gate count by Canright in 2005 [6], which was found by trying
all mixed basis representations of the field GF (((22)2)2) to reduce the cost
of relevant arithmetic when computing the multiplicative inverse and then
factoring all basis change matrices needed to map between GF (28) and
GF (((22)2)2). Boyar and Peralta improved upon Canright’s results by
swapping his GF ((22)2) inversion circuit for their own optimized version
and then performing subsequent combinational logic minimization on the
entire S-box circuit. Given the effectiveness of this two-phase approach,
we model our methodology after both of them.
3 Quantified Security of S-Boxes
With the continued improvement of cryptanalytic attacks that include dif-
ferent forms of linear and differential cryptanalysis [23, 1] and algebraic
analysis [8, 10], among many others [16, 18, 21], it is critically important
that cryptographic S-boxes do not exhibit weaknesses that can be ex-
ploited by these attacks. For example, linear cryptanalysis of SPN-based
block ciphers exploits the existence of some linear combinations of input
and output bits in the substitution step that occur with high (or low)
probability [23]. Therefore, highly nonlinear S-boxes are ideal to reduce
the probability that such linear combinations can be found and effectively
exploited. To determine if an S-box has this property, we may compute the





{Nl(c ·S)} = min
c∈Sm2
{Nl(c0f0⊕ c1f1⊕ · · ·⊕ cm−1fm−1)}, (1)
where






is the nonlinearity of a Boolean function f : GF (2)n → GF (2), fi are the
m coordinate functions of S for i = 1, . . . ,m, · is the inner product oper-
ator of two Boolean functions, and Wf (u) =
∑
x∈GF (2)n(−1)f(x)⊕(u·x) is
the Walsh transform of f with respect to the input function u [12]. Other
cryptographic metrics of interest include: the maximum and minimum
entries of the linear and difference distribution table [23, 1], δ-differential
uniformity [28, 29], resiliency and correlation immunity [7], component
algebraic immunity [7], XL and XLS algebraic immunity [25, 8], interpo-
lation polynomial algebraic complexity [18, 13], and branch number [13].
All of these metrics can be computed within a reasonable amount
of time for single n-bit S-boxes over fields GF (2n) when n ≤ 16. For
example, directly computing the differential uniformity can be done in
O(23n) time, which is feasible for a single 16-bit S-box. This complexity,
however, prohibited such computations for all 16-bit S-boxes considered
in this work. By computing these metrics for S-box candidates we may
quantitatively compare the security of different constructions. In gen-
eral, we seek to build S-boxes that have high nonlinearity, low differential
uniformity, high resiliency, high algebraic immunity, and high algebraic
complexity. We focus on these metrics when selecting possible S-box con-
structions in the first step of our methodology. In this step we find an
affine transformation that can be composed of a suitable power mapping
for the S-box. We describe this procedure in the following section.
4 Constructing Suitable S-Boxes
Our focus is on S-boxes built from power mappings over Galois fields, i.e.
functions of the form S(x) = xd where x ∈ GF (2n) and 0 ≤ d < 2n.
While other possible constructions exist, such as those based on the well-
defined cryptographic properties of Boolean functions, there are several
limitations that make these difficult to use in practice. For instance, they
typically do not have compact algebraic expressions, which implies that
hardware and software implementations often use lookup tables for such
mappings. This may be acceptable for small n-bit S-boxes (i.e. n ≤ 8),
but not for n ≥ 16.
4
Power mappings of the form S(x) = xd over the field GF (2n) are
typically classified by their exponents d. The known exponents of power
mappings over GF (2n) for even n with substantially high nonlinearity
and good differential uniformity properties are shown in Table 1.
Table 1: Cryptographically-significant power mappings.
Name Exponent (d) Ref.
Inverse −1 ≡ 2n − 2 [29]
Gold 2k + 1, gcd{k, n} = 1 for some 1 ≤ k ≤ 2n − 1 [9]
Kasami 22k − 2k + 1, gcd{k, n} = 1 for some 1 ≤ k ≤ n/2 [9]
Dobertin 24k+3k+2k+k − 1 over GF (2n) with n = 5k [9]
Niho 2m + 2m/2 − 1 over GF (2n) with n = 2m+ 1 and m even [9]
2m + 2(3m+1)/2 − 1 over GF (2n) with n = 2m+ 1 and m odd
Welch 2m + 3 over GF (2n) with n = 2m+ 1 [9]
Since these S-boxes are intended for block ciphers, it is natural to
impose the additional requirement that they are bijective. By Fermat’s
Little Theorem it is easy to see that this only occurs when gcd{d, 2n−1} =
1. Interestingly, with this restriction and the constraint n = m = 16, many
of the possible values for d are discarded and only the inverse exponent
remains. See [35] for a proof of this claim.
Although these power mapping exponents are very well studied in
the literature, we did not settle with them as the only candidates. In
fact, for 8-bit S-boxes, we exhaustively computed the nonlinearity and
δ-differential uniformity of all power mappings over GF (28) using the
AES field polynomial to determine if there exists suitable candidates that
could be studied further. We found that there are only 8 distinct power
mapping exponents and inverses (d, d−1) such that δ = 4 and NL =
112, the optimal values for such power mappings: (127, 253), (191, 251),
(223, 247), (239, 239), (247, 223), (251, 191), (253, 127), (254, 254). We did
not perform similar computations for 16-bit S-boxes, simply because these
computations are much more expensive. Also, since it is not necessary that
an S-box be invertible (i.e. if the block cipher using the S-box is operated
in CTR-mode), then we need to only find area-optimized circuits for either
d or d−1.
After finding a candidate S-box construction with reasonable non-
linearity and δ-differential uniformity, our next task was to modify the
constructions to increase the algebraic complexity (note that the algebraic
5




M := RandomMatrix(GF (2), n, n)
c := RandomElement(GF (2n))
if det(M) 6= 0 then
valid := True
ForwardPairs, InversePairs := [ ]
for each x ∈ GF (2n) do
if x is not a fixed point then
z := Mxd + c
ForwardPairs := Append(ForwardPairs, (x, z))
x′ := (M−1(z + c))d
−1







if valid = True then
p(y) := Interpolate(ForwardPairs)
p−1(y) := Interpolate(InversePairs)





until done = False
Algorithm 1: Probabilistic affine transformation search procedure,
where #p(y) (resp. #p−1(y)) is the number of terms in the interpo-
lation polynomial p(y) (resp. p−1(y)).
expression of an interpolation polynomial for an S-box defined solely by a
power mapping consists of a single term). In order to avoid interpolation
attacks, such expressions should have more terms (be more complex).
Perhaps the most common technique for increasing the complexity is to
compose an affine transformation of one such power mapping. Cui and
Cao [11] proved that the algebraic complexity for any affine-power S-box
over GF (2n) is bounded by n+1. Algorithm 1 presents a probabilistic pro-
cedure to search for an appropriate affine transformation for affine-power
S-boxes, characterized by a matrix M and constant vector c. Using the
same rationale for the affine transformation selection presented by Dae-
men and Rijmen in [14], this procedure searches for affine transformations
6
that have a “complex algebraic expression if combined with the inverse
mapping” and, together with the inverse operation, have “no fixed points
and no opposite fixed points.” In this context, a fixed point or opposite
fixed point occurs when there exists an element x ∈ GF (2n) such that
S(x) ⊕ x = 0n or S(x) ⊕ x = 1n. Since there are no known attacks that
exploit the existence of fixed points, we opted to lift this constraint if
the pair M and c provide more opportunities for logic optimization than
pairs that do not yield any fixed points.
5 Searching for Area-Efficient Tower Field Constructions
There are a variety of isomorphic representations for the fields GF (28)
and GF (216). Using composite arithmetic to compute the multiplicative
inverse requires arithmetic operations such as addition, multiplication,
squaring, and scaling (i.e. multiplication by a constant) in the subfields.
The complexity of such arithmetic heavily depends on the representa-
tion of elements in the subfields. Polynomial arithmetic is generally more
computationally efficient with polynomials of a smaller degree. This can
be shown by deriving the expressions for the arithmetic operations in
these subfields. For example, given an element ε ∈ GF (((22)2)2) (where
r(x) = x2 + x+Π defines GF ((22)2)) represented in a polynomial basis
[1, X] with subfield coefficients δ1 and δ2, ε
−1 can be computed as
ε−1 = δ1(δ
2
2 + δ1δ2 + δ
2
1Π)
−1x+ (δ1 + δ2)(δ
2




If ε is represented in a normal basis [X,X16], the expression becomes
ε−11 = ((δ1δ2 + (δ1 + δ2)
2Π)−1δ2)x
16 + (δ1δ2 + (δ1 + δ2)
2Π)−1δ1)x.
Deriving a general expression for inversion in GF ((22)4) depends on
numerous factors, including the coefficients of the polynomial r(x) and
the basis representation. Given the numerous possibilities, we omit such
derivations here, but it should be intuitively clear that the higher-degree
polynomials representing elements in GF ((22)4) will lead to less compact
expressions than the simple quadratic extension case in which we can
always find an irreducible polynomial r(x) with a unit x coefficient. Con-
sequently, we focus on the tower fields GF ((((22)2)2)2) and GF (((22)2)2)
for GF (216) and GF (28), respectively. Using such isomorphic representa-
tions, the cost of all arithmetic operations with respect to the subfields
using a polynomial and normal basis is given in Table 2.
7
Table 2: Cost of arithmetic in GF ((q2)2) with respect to subfield
GF (q2) (A)ddition, (M)ultiplication, (Sq)uare, (I)nversion, (Sc)ale, and
(SS)quare-scale operations for polynomial and normal basis representa-
tions.
Operation Polynomial Basis Normal Basis
Inverse 3M + 2A+ 1I + 1SS 3M + 2A+ I + 1SS
Add 2A 2A
Multiply 3M + 4A+ 1Sc 3M + 4A+ 1Sc
Square 2Sq + 1Sc+ 1A 3A+ 2Sq + 1Sc
To this end, let t(v) be a degree 16 (8) irreducible polynomial over
GF (2) for GF (216) (analogously GF (28)), s(y) = y2 + Ψy + Λ, be the
irreducible polynomial for GF ((((22)2)2)2), r(x) = x2 + Θx + Π be the
irreducible polynomial for GF (((22)2)2), q(w) = w2 + Ωw + Σ be the
irreducible polynomial for GF ((22)2), and finally p(v) = v2 + v + 1 be
the only irreducible polynomial for GF (22). We enforce Ψ = Θ = Ω = 1
to simplify field arithmetic. Also, we denote by V , W , X, and Y roots
of the polynomials for the fields GF (22), GF ((22)2), GF (((22)2)2), and
GF ((((22)2)2)2), respectively, and refer to the forward and inverse basis
change matrices needed to map elements from GF (28) and GF (216) to
their isomorphic tower field partners as T and T−1.
Each irreducible polynomial for the fields GF (22),. . . ,GF ((((22)2)2)2)
will have two distinct conjugate roots, which we denote as the sets {V, V 2},
{W,W 4}, {X,X16}, and {Y, Y 256}. A polynomial basis for any field can
be formed by selecting one of these roots as a basis element in conjunction
with the identity element 1, e.g. [1, V ] or [1, V 2] forGF (22), whereas a nor-
mal basis requires that both roots are used. For each possible combination
of basis elements we then programmatically determine the combinational
complexity of subfield arithmetic needed to compute the inverse.
For each combination of basis elements we also perform several arith-
metic and logic optimizations. For instance, as Satoh [34] mentions, it is
possible to save on the number of gates required for a circuit if there ex-
ists two GF ((2m)2) multipliers that have a shared input. This is because
both the polynomial and normal multipliers need to compute the sum of
the two coefficients for the input elements, as shown in Figure 1. There-
fore, every shared input factor will save one addition in the subfield. In
addition, polynomial and normal multipliers for elements in GF ((22)2)
and GF (((22)2)2) each have three subfield multipliers that will share a
















Fig. 1: XOR gate reduction for two GF ((22)2) multipliers with a shared
input B. The single XOR gate is saved by not recomputing the sum of
the two B coefficients B1 and B2 of when B is represented in a normal
basis.
We also make use of the optimizations to the square-scale operations per-
formed by Canright [6]. At a high level, such optimizations are used to
derive compact expressions for the square-scale operations given particu-
lar values of Π, which can only take a fixed number of values in order to
make r(x) irreducible over GF ((22)2). We refer the reader to [35] and [6]
for further discussion of these optimizations.
Our S-box construction program written in Magma [5] does not sup-
port exhaustive common subexpression elimination. This is primarily due
to the fact that Magma does not support normal basis representations for
finite field elements. Furthermore, exhaustively searching for all common
subexpressions in all 432 possible inversion and square-scale algebraic ex-
pressions over GF (((22)2)2) was outside the scope of this work. Future
work will explore programmatically deriving such compact expressions in
order to achieve lower gate counts. Also, it is important to note that,
because we do not automatically apply the full set of Canright’s opti-
mizations, our gate counts will be upper bounds on the total number of
gates. That is, the software that was written to count the number of gates
for each field representation and basis selection will produce a result that



















Fig. 2: High-level diagram for a merged S-box circuit. The sel signal is
used to toggle encryption and decryption modes.
shown in his detailed report, other optimizations can be applied to lower
this bound even further. After the tower field implementation parameters
have been identified, we then utilize the logic minimization techniques of
Paar [31] and Boyar and Peralta [3] to reduce the XOR gate count for the
basis change matrices, which are merely linear mappings represented as
straight-line programs (SLPs). An SLP for a binary matrix-vector multi-
plication expression is a finite sequence of lines of the form u := λv+µw,
where λ and µ are elements in GF (2), u, v, and w are variables, and some
lines are output of the corresponding multiplication.
In addition to these algebraic and gate-level optimizations, we also
follow in the footsteps of Satoh [34] and Canright [6] by performing logic
minimizations on merged S-box designs. The merged S-box design simply
pairs the forward and inverse S-box operations into the same circuit that
use the same inversion component, where the output is determined by a
simple multiplexer. A high-level overview of the merged circuit is shown in
Figure 2. We optimize the matrices T−1/(MT)−1 and MT/T separately.
6 New S-Box Constructions and Implementations
We measure the complexity, or cost, of a particular S-box as the total
number of XOR and AND gates required in a combinational circuit imple-
mentation. To determine this cost for merged S-box circuits we measure
the cost of the basis transformation matrices T and T−1 merged with the
affine transformation matrices M, the cost of a single inversion circuit,
and the weight of the affine constant c. For fixed M and c, we perform an
exhaustive search over all mixed basis representations of the S-box field
10
to find an upper bound on the gates required for the inversion circuit.
We then use the logic optimization technique of Boyar and Peralta [2] to
reduce the number of XOR gates required for the merged basis change
and affine transformation matrices.
For 16-bit S-boxes, there are 128 choices for s(y), eight choices for
r(x), two choices for q(w), and only one choice for p(v) that have a trace
of unity. Since each of these polynomials has two distinct conjugate roots
that can be used to represent the respective field elements with a polyno-
mial or normal basis, there are exactly three basis element combinations
in all degree-two extension subfields of GF (216). Consequently, there is
a total of 165888 possible cases to consider for a single polynomial t(v).
Since the basis change matrices depend on the representation of GF (216),
and there are 4080 candidates for t(v), this means that we must consider
about 6 × 108 possible cases to find a minimal transformation. Due to
computational limitations, we selectively focused on the 21 smallest t(v)
polynomials when searching for 16-bit S-box implementation parameters.
For 8-bit S-boxes, there are only 30 candidate s(v) polynomials with
smaller basis change matrices, so we did not have to impose a similar
computational restriction.
We applied our methodology to find 8-bit S-boxes over GF (28) and
new 16-bit S-boxes over GF (216). For the 8-bit S-box case, we used Can-
right’s optimizedGF (((22)2)2) inversion circuit when exhaustively search-
ing for suitable implementation parameters. To perform this search, we
consider all inverters which have a normal basis for GF ((24)2) because
the shared multiplication factor saves 5 XOR gates over inverters with
a polynomial basis for GF ((24)2). After Canright’s optimizations, these
S-boxes have anywhere from 66 to 68 XOR gates and 36 AND gates for
the inverter [6]. Since the GF (28) irreducible polynomial determines the
number of XOR gates required for the basis change matrices T and T−1,
we then considered all 30 degree 8 irreducible polynomials for GF (28)
to derive such basis change matrices. For each candidate inversion cir-
cuit and pair of basis change matrices T and T−1, we then applied the
linear circuit minimization heuristic described by Boyar and Peralta in
[3] to reduce the required XOR gates. This procedure was repeated for
each irreducible polynomial t(v) for GF (28) and the basis representation
that yielded the smallest number of required XOR and AND gates was
recorded. Our results from this experiment for merged S-box designs are
summarized in Table 2 in Appendix A.
11
We were able to improve upon Canright’s S-box design using the AES
polynomial by a single XOR gate, before logic gate optimizations such
as using NAND/NOR instead of AND/XOR gates. With the same nor-
mal bases and coefficients Π and Σ, we found a different embedding of
GF (((22)2)2) into GF (28) that yielded merged basis change and affine
transformation matrices able to be implemented in only 37 XOR gates,
as opposed to 38 found by Canright (see Figure 3 for the basis change
matrices and corresponding SLP for proof). This single gate is saved in
our field isomorphism and by applying Boyar and Peralta’s optimization
technique for the merged matrices T−1/(MT)−1 and MT/T.
Out of all 30 degree 8 irreducible polynomials over GF (2), we found
that t(v) = v8 + v6 + v5 + v4 + v2 + v + 1 permitted an S-box circuit
with the smallest area requirement of only 103 XOR and 36 AND gates
(see Table 3). Using this selection of t(v), the basis change matrices to
map an element α ∈ GF (28) represented in a polynomial basis to β ∈
GF (((22)2)2) represented with the bases [1, V ], [W,W 4], and [X,X16],
where this tower field uses the coefficients Σ = v and Π = (v+ 1)w4 +w,
require at most 35 XOR gates in the merged S-box design (see the SLP in
Figure 4 for proof). Further area improvements for this S-box are likely
possible by applying Boyar and Peralta’s SLP minimization techniques, in
addition to CAD-driven optimizations. However, even in its current state,
this design surpasses Canright’s optimized circuit for the AES S-box,
and as such may be of value for implementations of future cryptographic
algorithms.
We then considered the 21 smallest degree 16 irreducible polynomi-
als t(v) over GF (2) in search for area-optimized 16-bit S-boxes. This
search yielded several S-box constructions with small gate counts prior to
(linear) logic optimizations of the basis change matrices. For the small-
est irreducible polynomial t(v) = v16 + v5 + v3 + v + 1, we found a
set of implementation parameters that permitted a circuit with a total
of 1238 XOR and 144 AND gates. This candidate, shown in Figure 5,
uses the basis sets [1, V ], [1,W ], [1, X], [Y 256, Y ] to represent elements in
GF ((((22)2)2)2) and its respective subfields, where Σ = v, Π = vw + v,
and Λ = (vw + v)x+w. The affine transformation and basis change ma-
trices used to obtain the circuit are shown in Figure 5. A larger subset of




1 1 1 0 0 1 1 1
0 1 1 1 0 0 0 1
0 1 1 0 0 0 1 1
1 1 1 0 0 0 0 1
1 0 0 1 1 0 1 1
0 0 0 0 0 0 0 1
0 1 1 0 0 0 0 1




0 0 0 1 0 0 1 0
1 1 1 0 1 0 1 1
1 1 1 0 1 1 0 1
0 1 0 0 0 0 1 0
0 1 1 1 1 1 1 0
1 0 1 1 0 0 1 0
0 0 1 0 0 0 1 0
0 0 0 0 0 1 0 0

Forward SLP for T−1/(MT)−1 Inverse SLP for MT/T
1) y5 = x7
2) t8 = x1 + x7
3) t9 = x2 + t8
4) y6 = t9
5) t10 = x6 + t9
6) y2 = t10
7) t11 = x0 + x3
8) y8 = t11
9) t12 = x2 + t10
10) t13 = x4 + t12
11) y11 = t13
12) t14 = x1 + t11
13) y12 = t14
14) t15 = x0 + x5
15) t16 = x0 + t9
16) y3 = t16
17) t17 = x0 + t14
18) y10 = t17
19) t18 = x2 + t15
20) y13 = t18
21) t19 = x3 + t9
22) y1 = t19
23) t20 = x3 + t10
24) y15 = t20
25) t21 = x2 + t20
26) y9 = t21
27) t22 = x5 + t13
28) y7 = t22
29) t23 = t10 + t15
30) y0 = t23
31) t24 = t13 + t14
32) y4 = t24
33) t25 = x0 + x6
34) t26 = t24 + t25
35) y14 = t26
1) y15 = x5
2) t8 = x2 + x4
3) y0 = t8
4) t9 = x3 + x6
5) y8 = t9
6) t10 = x1 + t8
7) t11 = x5 + t10
8) t12 = x2 + t9
9) y6 = t12
10) t13 = x7 + t11
11) y5 = t13
12) t14 = x0 + t13
13) y10 = t14
14) t15 = x0 + x4
15) y1 = t15
16) t16 = x0 + t8
17) y3 = t16
18) t17 = x0 + t12
19) y13 = t17
20) t18 = x1 + x6
21) y11 = t18
22) t19 = t16 + t18
23) t20 = x1 + x7
24) y2 = t20
25) t21 = x1 +t 9
26) y7 = t21
27) t22 = x2 + x6
28) y14 = t22
29) t23 = x7 + t19
30) y9 = t23
31) t24 = t9 + t11
32) y12 = t24
33) t25 = t9 + t19
34) y4 = t25
Fig. 3: Forward SLP for T−1/(MT)−1 and inverse SLP for MT/T for
use in Canright’s design of the AES S-box [6]. Collectively, they require
37 XOR gates to implement.
13
z = S(x) =

0 0 0 0 1 1 0 1
1 1 0 0 1 0 1 1
0 0 1 0 0 1 1 1
0 1 0 0 1 1 1 1
1 1 0 0 0 0 0 0
1 0 0 1 1 0 0 0
0 0 0 0 1 1 0 0























x = y−1 = (S−1(z))−1 =

1 1 0 0 1 0 1 1
1 1 0 0 0 0 1 1
0 1 1 0 1 0 1 0
0 1 0 1 0 1 1 0
1 0 0 1 1 0 0 1
1 0 0 1 1 0 1 1
0 1 0 1 0 0 1 1














1 1 1 1 0 0 1 0
0 0 0 0 1 0 1 0
1 1 1 0 1 1 0 0
0 1 0 1 1 1 0 1
1 0 1 1 1 1 1 0
1 1 0 0 0 1 0 0
1 0 0 0 0 0 0 0




0 0 0 0 0 0 1 0
0 0 1 0 0 1 1 1
1 0 1 0 1 0 1 0
1 1 0 0 0 0 0 1
1 0 0 0 1 1 1 0
0 0 1 0 0 0 0 1
1 1 0 0 1 1 1 0
0 1 0 1 1 0 0 1

Forward SLP for T−1/(MT)−1 Inverse SLP for MT/T
1) y0 = x6
2) y9 = x2
3) t8 = x0 + x4
4) t9 = x6 + t8
5) y11 = t9
6) t10 = x1 + x7
7) t11 = x5 + t9
8) y4 = t11
9) y15 = t11
10) t12 = x3 + t10
11) t13 = x4 + t12
12) y7 = t13
13) y14 = t13
14) t14 = x0 + t10
15) y3 = t14
16) t15 = x2 + t9
17) y2 = t15
18) t16 = x2 + x7
19) y5 = t16
20) t17 = t8 + t16
21) t18 = x1 + t11
22) y6 = t18
23) t19 = x3 + t9
24) y12 = t19
25) t20 = x6 + t12
26) y8 = t20
27) t21 = t10 + t17
28) y13 = t21
29) t22 = t11 + t17
30) y1 = t22
31) t23 = t14 + t15
32) y10 = t23
1) y2 = x1
2) y14 = x0
3) t8 = x0 + x1
4) t9 = x2 + x4
5) t10 = x3 + x6
6) t11 = x5 + t8
7) y13 = t11
8) t12 = t8 + t9
9) y15 = t12
10) t13 = x0 + t10
11) y0 = t13
12) t14 = t12 + t13
13) y6 = t14
14) t15 = x3 + x4
15) y3 = t15
16) t16 = x6 + t12
17) t17 = x3 + x7
18) y5 = t17
19) t18 = x4 + t11
20) y7 = t18
21) t19 = x2 + t18
22) y10 = t19
23) t20 = x3 + t12
24) y4 = t20
25) t21 = x4 + x6
26) y9 = t21
27) t22 = t11 + t14
28) y12 = t22
29) t23 = t11 + t16
30) y1 = t23
31) t24 = t15 + t16
32) y8 = t24
33) t25 = x0 + t17
34) t26 = t18 + t25
35) y11 = t26
Fig. 4: The 8-bit S-box and basis change matrices for polynomial t(v) =
v8+v6+v5+v4+v2+v+1. The vector y is the inverse of the element x in
GF (28) (or 0̄ if x = 0). Accordingly, the output y = S−1(z) is inverted in
the same way to obtain the original element x. The forward S-box SLP for
T−1/(MT)−1 and inverse S-box SLP for MT/T are also shown, which
collectively require 35 XOR gates to implement.
14
z = S(x) =

0 0 1 0 0 0 0 1 0 0 1 1 1 1 1 0
1 1 0 0 0 0 0 1 0 1 1 0 1 0 1 0
1 1 0 0 1 0 1 1 0 1 0 1 0 0 1 1
1 1 1 0 0 0 1 0 0 1 1 0 0 0 0 0
1 1 0 0 0 1 1 0 0 1 1 1 1 0 1 1
0 1 0 0 0 0 1 1 0 1 1 1 1 1 0 1
0 0 1 0 1 0 1 0 1 1 0 0 1 1 0 0
1 0 1 1 1 0 1 1 0 0 0 1 0 1 1 1
0 1 0 0 0 0 0 0 1 0 0 1 1 1 0 1
1 0 1 1 0 0 0 1 0 0 1 0 1 0 0 0
1 0 1 0 0 1 1 1 0 0 1 1 0 1 0 0
1 0 1 1 1 0 1 1 1 1 0 1 1 0 0 1
1 0 1 0 0 1 0 1 1 0 0 1 0 0 0 1
0 1 0 0 0 1 1 1 1 0 0 0 0 0 0 1
1 0 0 0 1 1 0 1 0 1 1 1 1 0 0 0







































x = y−1 = (S−1(z))−1 =

0 1 0 1 0 1 1 1 0 0 1 0 0 0 0 1
1 1 0 1 0 0 1 0 1 0 1 1 1 1 0 1
1 0 1 1 1 1 0 1 0 1 1 0 0 0 0 0
0 0 1 0 1 1 1 0 1 0 1 1 1 0 1 0
1 1 1 1 1 0 0 0 1 0 0 0 0 1 0 0
0 0 0 1 0 1 0 0 0 0 1 1 1 1 1 1
1 0 1 0 0 0 0 0 0 1 1 0 1 0 1 1
0 0 1 0 1 1 1 0 0 1 0 1 1 1 1 0
0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 0
1 1 1 0 0 1 1 1 1 0 1 1 1 0 0 0
0 1 1 0 1 1 1 1 0 0 1 0 1 1 1 1
1 0 0 1 1 0 0 0 1 0 0 1 1 0 1 1
1 0 0 0 0 1 0 1 1 1 0 0 1 0 1 0
1 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1
1 1 1 0 0 1 1 0 1 0 0 1 1 1 1 1






















0 1 0 1 0 0 0 0 1 0 0 0 0 1 0 0
0 1 1 0 0 1 1 1 0 0 1 0 0 1 1 1
0 0 0 1 1 0 0 1 0 0 0 1 0 0 0 1
1 1 0 0 0 0 1 1 0 1 0 1 0 0 1 1
1 1 0 0 1 0 0 1 0 0 0 1 0 1 0 1
0 0 1 1 0 1 1 1 1 0 0 0 1 0 0 1
0 0 0 1 1 0 1 0 1 0 1 0 0 1 0 0
0 0 1 0 1 0 1 0 0 1 1 1 0 1 0 0
1 0 1 0 0 1 1 1 1 0 1 1 0 0 1 1
0 0 0 1 0 1 0 1 0 1 1 0 0 1 0 1
1 1 0 1 1 0 1 1 0 0 1 0 0 0 0 1
0 1 1 1 0 1 0 0 1 1 1 0 0 0 1 0
0 1 0 1 1 1 0 0 1 1 0 1 0 0 0 0
1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0
0 1 0 0 0 1 0 0 0 1 0 1 0 0 1 0




1 0 1 0 0 0 0 1 1 0 0 0 0 0 1 0
1 0 0 0 1 0 0 0 0 1 0 0 1 1 0 0
1 1 0 0 1 0 0 0 1 1 0 1 1 0 1 0
0 1 1 1 1 0 1 1 1 0 1 1 1 0 0 0
0 0 0 1 1 0 0 1 0 0 0 1 1 0 0 0
0 1 0 1 1 0 1 0 1 0 0 0 0 1 1 0
1 0 1 1 0 0 1 1 0 0 0 1 1 1 0 0
1 0 0 0 1 0 0 0 0 0 1 0 0 0 0 1
0 0 0 0 1 0 0 1 1 0 0 0 0 0 1 0
1 0 1 0 0 0 1 1 0 1 0 1 1 0 1 0
1 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0
0 0 0 1 1 0 1 0 1 0 1 1 1 0 1 0
0 0 0 0 1 1 1 1 0 1 1 0 0 0 0 0
0 1 1 1 1 0 1 0 0 1 1 1 0 1 1 0
0 1 1 0 1 0 1 1 0 0 1 0 1 0 0 0
1 1 0 1 0 0 0 0 0 0 1 1 1 0 1 1

Fig. 5: The 16-bit S-box and basis change matrices for the polynomial
t(v) = v16 +v5 +v3 +v+1. The vector y is the inverse of the element x in
GF (216) (or 0̄ if x = 0). Accordingly, the output y = S−1(z) is inverted
in the same way to obtain the original element x.
15
7 Conclusion
In this work we presented a comprehensive methodology for identifying
cryptographically significant S-box constructions based on power map-
pings over GF (2n) and searching for composite-field representations that
permit low-area hardware implementations. We applied our technique to
8-bit S-boxes defined over GF (28) using all 30 degree 8 irreducible poly-
nomials and found several circuits with area-optimized implementations
on par with or surpassing the AES equivalent (pending CAD optimiza-
tions). Motivated by a potential need for larger S-boxes, we then scaled
up our procedure to 16-bit S-boxes. We believe this methodology and our
results may be useful in the design of future cryptographic algorithms.
References
1. Eli Biham and Adi Shamir. Differential Cryptanalysis of DES-Like Cryptosystems.
Journal of Cryptology 4.1 (1991), 3-72.
2. Joan Boyar and René Peralta. A Small Depth-16 Circuit for the AES S-Box. IFIP
Advances in Information and Communication Technology, Springer Berlin Heidel-
berg 376 (2012), 287-298.
3. Joan Boyar, Philip Matthews, and René Peralta. Logic Minimization Techniques
with Applications to Cryptology. Journal of Cryptology (2012), 1-33.
4. Eric Brier, Christophe Clavier, and Francis Olivier. Correlation Power Analysis with
a Leakage Model. Cryptographic Hardware and Embedded Systems - CHES 2004,
Springer Berlin Heidelberg (2004), 16-29.
5. John Cannon and Allan Steel. The Magma computational algebra system. Software
available online (magma.maths.usyd.edu.au) (2005).
6. David Canright. A Very Compact S-Box for AES. CHES 2005 - Cryptographic
Hardware and Embedded Systems, Springer Berlin Heidelberg (2005), 441-455.
7. Claude Carlet and Emmanuel Prouff. On a New Notion of Nonlinearity Relevant to
Multi-output Pseudo-random Generators. Selected Areas in Cryptography, Springer
Berlin Heidelberg (2004).
8. Nicolas T. Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers with overde-
fined systems of equations. Advances in Cryptology - ASIACRYPT 2002, Springer
Berlin Heidelberg, (2002), 267-287.
9. Nicolas T. Courtois, Blandine Debraize, and Eric Garrido. On Exact Algebraic
[Non-]Immunity of S-Boxes Based on Power Functions. Information Security and
Privacy, Springer Berlin Heidelberg (2006).
10. Gregory V. Bard, Nicolas T. Courtois, and Chris Jefferson. Efficient Methods for
Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials
over GF (2) via SAT-Solvers. Presented at ECRYPT workshop Tools for Cryptanal-
ysis (2007).
11. Lingguo Cui and Yuanda Cao. A New S-Box Structure Named Affine-Power-
Affine. International Journal of Innovative Computing, Information and Control
3.3 (2007), 751-759.
12. Thomas W. Cusick and Pantelimon Stănică. Cryptographic Boolean Functions and
Applications. Academic Press (2009).
16
13. Joan Daemen and Vincent Rijmen. Advanced Encryption Standard (AES) (FIPS
197). Technical report, Katholijke Universiteit Leuven/ESAT (2001).
14. Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES-the Advanced
Encryption Standard. Springer (2002).
15. Hans Dobbertin. Almost Perfect Nonlinear Power Functions onGF (2n): The Welch
Case. IEEE Transactions on Information Theory 45(4) (1999), 1271-1275.
16. Henri Gilbert and Thomas Peyrin. Super-Sbox Cryptanalysis: Improved Attacks
for AES-like Permutations. Fast Software Encryption, Springer Berlin Heidelberg
(2010).
17. Toshiya Itoh and Shigeo Tsujii. A Fast Algorithm for Computing Multiplicative
Inverses in GF (2m) Using Normal Bases. Information and Computation 78.3 (1988),
171-177.
18. Thomas Jakobsen and Lars R. Knudsen. The Interpolation Attack on Block Ci-
phers. 4th International Workshop on Fast Software Encryption LNCS, Springer
1267 (1997), pp. 28-40.
19. Jérémy Jean, Maŕıa Naya-Plasencia, and Thomas Peyrin. Improved Cryptanalysis
of AES-like Permutations. Journal of Cryptology (2013), 1-27.
20. Alan Kaminsky, Michael Kurdziel, Stanis law Radziszowski. An Overview of Crypt-
analysis Research of the Advanced Encryption Standard. Proceedings of MIL-
COM’2010, San Jose, CA (2010).
21. Lars R. Knudsen. Truncated and Higher Order Differentials. Fast Software En-
cryption, Springer Berlin Heidelberg 1008 (1995).
22. Paul Kocher, Joshua Jaffe, and Benjamin Jun. Differential Power Analysis. Ad-
vances in Cryptology - CRYPTO99, Springer Berlin Heidelberg (1999).
23. Mitsuru Matsui. Linear cryptanalysis method for DES cipher. Advances in Cryp-
tology - EUROCRYPT93, Springer Berlin Heidelberg, (1994).
24. Nele Mentens, Lejla Batina, Bart Preneel, and Ingrid Verbauwhede. A Systematic
Evaluation of Compact Hardware Implementations for the Rijndael S-Box. Topics
in Cryptology-CT-RSA, Springer Berlin Heidelberg (2005), 323-333.
25. Nawaz Yassir, Kishan Chand Gupta, and Guang Gong. Algebraic Immunity of
S-Boxes Based on Power Mappings: Analysis and Construction. IEEE Transactions
on Information Theory 55.9 (2009), 4263-4273.
26. Svetla Nikova, Vincent Rijmen, and Martin Schläffer. Using Normal Bases for
Compact Hardware Implementations of the AES S-box. Security and Cryptography
for Networks. Springer Berlin Heidelberg (2008), 236-245.
27. Yasuyuki Nogami, Kenta Nekado, Tetsumi Toyota, Naoto Hongo, and Yoshitaka
Morikawa. Mixed Bases for Efficient Inversion in F((22)2)2 and Conversion Matrices
of SubBytes of AES. IEICE Transactions on Fundamentals of Electronics, Commu-
nications and Computer Sciences E94-A:6 (2011), 1318-1327.
28. Kaisa Nyberg. Perfect nonlinear S-boxes. Advances in Cryptology - EURO-
CRYPT91. Springer Berlin Heidelberg (1991).
29. Kaisa Nyberg. Differentially Uniform Mappings for Cryptography. Advances in
Cryptology - Eurocrypt93. Springer Berlin Heidelberg (1994).
30. Christof Paar. Some Remarks on Efficient Inversion in Finite Fields. 1995 IEEE
International Symposium on Information Theory (1995).
31. Christof Paar. Optimized Arithmetic for Reed-Solomon Encoders. Proceedings of
the 1997 IEEE International Symposium on Information Theory (1997).
32. Vincent Rijmen. Efficient Implementation of the Rijndael S-box. Katholieke Uni-
versiteit Leuven, Dept. ESAT, Belgium (2000).
17
33. Atri Rudra, Pradeep K. Dubey, Charanjit S. Jutla, Vijay Kumar, Josyula R. Rao,
and Pankaj Rohatgi. Efficient Rijndael Encryption Implementation with Composite
Field Arithmetic. Cryptographic Hardware and Embedded Systems - CHES, Springer
Berlin Heidelberg (2001).
34. Akashi Satoh, Sumio Morioka, Kohji Takano, and Seiji Munetoh. A Compact Ri-
jndael Hardware Architecture with S-Box Optimization. Advances in Cryptology -
ASIACRYPT, Springer Berlin Heidelberg (2001), 239-254.
35. Christopher A. Wood. Large Substitution Boxes with Efficient Combinational Im-




In this appendix we provide detailed parameters for a variety of S-box
constructions. A basis B = [βn1 , βn2 ] is used to represent an arbitrary ele-
ment α ∈ GF ((qm)2) as α = a1βn1+a2βn1 for some a1, a2 ∈ GF (qm). The
basis element powers n1 and n2 are chosen such that B is a polynomial or
normal basis. In particular, if n1 = 0, then B must be a polynomial basis
where n2 ∈ {1, qm}. If n1 6= 0 and n2 6= 0 then B must be a normal basis.
The order of normal basis elements in B depends on how Magma selects
primitive elements. Specifically, if βq
m
is chosen as the primitive element
then our S-box construction program will fix the basis B = [βq
m
, β].
In the following tables we encode each irreducible polynomial t(v),
constant c, and binary matrix (T, T−1, and M in row order), which are
described in Sections 4 and 5, as a hexadecimal string. Σ, Π, and Λ, the
irreducible polynomial coefficients described in Section 5, are shown with
a polynomial basis. We also use the notation IF!v to denote the embedding
of v into the field IF, where IF = GF (28) or IF = GF (216) for 8 and 16-
bit S-boxes, respectively. The subfield bases are exactly as described in
Section 5. Finally, the Inv. and Total fields denote the number of XOR
gates required for the multiplicative inverse and merged S-box circuits,
respectively.
19
T
a
b
le
3
:
A
re
a
-o
p
ti
m
iz
ed
8-
b
it
S
-b
ox
co
n
st
ru
ct
io
n
s
fo
r
m
er
ge
d
ci
rc
u
it
im
p
le
m
en
ta
ti
on
s
u
si
n
g
a
ll
30
ir
re
d
u
ci
b
le
p
o
ly
-
n
o
m
ia
ls
t(
v
)
o
f
d
eg
re
e
8
ov
er
G
F
(2
).
T
h
e
en
tr
y
w
it
h
p
ol
y
n
om
ia
l
t(
v
)
=
1
7
7
co
rr
es
p
on
d
s
to
th
e
co
n
st
ru
ct
io
n
g
iv
en
in
F
ig
u
re
4
.
t(
v
)
Σ
Π
IF
!v
IF
!w
IF
!x
B
a
se
s
T
T
−
1
M
c
In
v
.
T
o
ta
l
1
7
7
v
v
w
+
v
+
1
B
7
8
8
2
D
[1
,V
],
[W
,W
4
],
[X
1
6
,X
]
F
2
0
A
E
C
5
D
B
E
C
4
8
0
E
8
0
2
2
7
A
A
C
1
8
E
2
1
C
E
5
9
0
D
C
B
2
7
4
F
C
0
9
8
0
C
8
A
8
6
6
1
0
3
1
1
D
v
(v
+
1
)w
+
v
D
6
9
8
C
4
[1
,V
],
[1
,W
],
[X
,X
1
6
]
5
3
3
9
8
8
2
4
0
4
D
7
0
2
3
2
8
C
7
6
1
8
1
B
A
C
0
8
0
2
E
F
E
F
A
4
4
0
A
C
E
A
1
8
7
4
6
0
8
E
6
7
1
0
5
1
C
F
v
(v
+
1
)w
+
1
3
D
E
D
9
[1
,V
],
[1
,W
],
[X
,X
1
6
]
0
C
C
8
2
C
4
6
9
F
E
0
2
2
A
D
7
2
D
6
A
0
0
B
E
4
6
4
A
2
5
3
5
2
0
B
0
2
B
A
B
9
8
6
4
6
E
4
8
1
6
7
1
0
6
1
8
7
v
(v
+
1
)w
+
v
A
B
7
4
5
7
[V
,V
2
],
[W
,W
4
],
[X
1
6
,X
]
0
3
2
7
5
3
1
B
0
C
8
D
1
2
7
C
7
F
5
1
A
9
F
1
6
1
6
9
F
3
7
3
F
5
6
E
5
C
A
0
F
2
9
6
8
A
8
C
8
6
6
1
0
6
1
E
7
v
+
1
(v
+
1
)w
+
1
8
4
3
1
F
1
[1
,V
],
[W
,W
4
],
[X
1
6
,X
]
9
1
E
4
C
9
4
1
7
D
8
A
A
0
9
2
F
8
A
5
F
A
C
D
C
8
E
7
3
4
B
5
8
5
9
8
3
4
6
E
0
4
1
C
D
8
F
8
8
6
6
1
0
6
1
9
F
v
+
1
(v
+
1
)w
F
A
2
3
7
3
[V
,V
2
],
[W
,W
4
],
[X
1
6
,X
]
A
6
8
B
1
7
4
7
6
5
9
6
7
1
7
A
4
3
E
1
5
5
D
1
2
9
D
B
4
D
6
7
4
3
8
4
9
6
B
8
F
8
4
D
5
D
E
0
7
2
6
6
1
0
7
1
3
F
v
(v
+
1
)w
9
4
2
8
1
5
[1
,V
],
[1
,W
4
],
[X
1
6
,X
]
0
A
C
C
4
0
9
B
0
4
1
B
E
6
5
8
1
4
2
0
C
2
5
D
7
C
0
8
F
C
D
9
0
1
1
E
1
0
4
3
7
4
5
4
C
D
D
9
7
A
6
7
1
0
9
1
B
D
v
+
1
v
w
2
6
5
3
8
D
[1
,V
2
],
[1
,W
],
[X
1
6
,X
]
5
D
8
4
0
2
8
C
B
B
9
3
C
A
D
2
C
6
B
4
5
C
5
3
5
0
8
6
2
0
B
1
4
5
E
5
8
9
B
9
0
C
D
A
6
5
C
4
8
9
6
7
1
0
9
1
A
9
v
(v
+
1
)w
+
v
C
7
F
6
5
2
[1
,V
],
[1
,W
],
[X
,X
1
6
]
2
4
F
9
4
0
D
1
6
E
6
0
7
9
1
A
4
2
2
0
2
4
A
9
7
4
A
4
D
C
D
B
8
3
A
3
1
C
D
5
0
7
2
8
0
A
D
B
6
8
6
7
1
1
0
1
8
B
v
+
1
(v
+
1
)w
7
7
C
1
F
5
[1
,V
2
],
[1
,W
4
],
[X
,X
1
6
]
B
F
5
3
9
B
1
B
E
6
B
1
2
8
2
3
3
0
B
E
E
C
1
3
E
E
4
C
2
6
C
B
2
6
4
C
F
2
F
C
9
B
8
F
B
7
8
E
6
1
6
7
1
1
1
1
A
3
v
+
1
(v
+
1
)w
+
1
2
9
B
B
2
7
[1
,V
],
[1
,W
4
],
[X
1
6
,X
]
8
4
8
0
B
D
2
6
C
2
3
3
9
D
B
8
4
0
B
A
2
2
3
5
5
6
C
0
F
2
E
1
E
1
F
A
C
8
9
9
6
F
3
0
2
3
C
1
1
6
6
8
1
1
1
1
1
B
v
+
1
v
w
B
D
5
C
F
E
[V
,V
2
],
[W
,W
4
],
[X
1
6
,X
]
1
2
E
B
E
D
4
2
7
E
B
2
2
2
0
4
E
7
7
1
6
3
E
1
9
B
0
1
6
1
4
F
F
8
7
C
3
E
1
F
8
F
C
7
E
3
F
1
6
3
6
6
1
1
1
1
4
D
v
v
w
1
D
F
A
F
5
[V
,V
2
],
[W
,W
4
],
[X
,X
1
6
]
4
E
4
1
B
1
2
4
A
C
D
E
5
0
6
D
4
9
C
F
2
B
C
D
5
1
3
B
2
5
8
F
0
1
1
E
1
0
4
3
7
4
5
4
C
D
D
9
A
6
6
6
1
1
1
1
7
B
v
(v
+
1
)w
+
v
6
C
7
E
2
[1
,V
],
[1
,W
],
[X
1
6
,X
]
6
6
6
0
C
A
6
A
E
8
4
A
1
5
0
1
2
4
5
4
1
4
F
F
6
C
F
C
3
C
0
1
4
A
9
F
F
C
5
7
7
F
D
7
3
8
0
4
9
7
6
7
1
1
1
1
C
3
v
+
1
v
w
A
D
2
3
5
A
[V
,V
2
],
[W
,W
4
],
[X
1
6
,X
]
5
6
2
2
9
0
1
E
D
1
5
9
2
8
6
8
9
F
0
3
9
1
B
F
9
3
E
D
D
1
2
B
8
8
B
B
1
3
B
F
E
5
3
4
E
D
4
8
D
1
6
6
1
1
1
1
5
F
v
v
w
1
A
8
4
8
C
[1
,V
2
],
[1
,W
4
],
[X
,X
1
6
]
5
9
0
8
8
8
E
C
9
3
7
B
0
2
B
4
6
0
A
A
8
6
F
B
4
0
1
C
0
2
9
1
1
6
A
7
A
C
3
C
0
7
6
2
6
A
5
C
1
F
6
7
1
1
2
1
2
D
v
v
w
B
F
5
9
7
1
[1
,V
],
[1
,W
],
[X
,X
1
6
]
0
2
9
5
5
F
7
1
4
2
6
4
4
E
4
B
5
4
8
8
B
A
1
7
3
C
3
6
8
0
3
5
6
C
9
9
4
2
8
0
3
8
1
7
8
4
8
D
5
D
6
7
1
1
2
1
B
1
v
+
1
v
w
+
v
C
C
F
3
9
8
[1
,V
],
[1
,W
4
],
[X
1
6
,X
]
3
D
2
4
6
A
9
D
1
B
4
6
0
4
8
9
D
2
C
E
4
2
1
3
6
4
0
2
C
8
B
7
7
1
1
3
5
0
7
6
B
F
2
E
D
B
F
F
9
9
6
7
1
1
2
1
8
D
v
+
1
(v
+
1
)w
+
v
4
E
4
5
9
0
[1
,V
2
],
[W
,W
4
],
[X
1
6
,X
]
1
1
D
0
0
A
9
3
8
A
8
F
F
D
A
9
2
8
8
F
D
6
E
7
9
8
6
B
B
8
6
7
1
8
D
7
4
F
6
D
8
E
3
7
9
9
E
6
6
C
6
6
1
1
3
1
2
B
v
v
w
+
1
E
B
3
D
3
B
[V
,V
2
],
[W
,W
4
],
[X
1
6
,X
]
C
F
9
A
8
1
1
4
2
B
3
9
8
4
8
6
1
D
E
D
6
7
0
F
5
1
1
F
0
3
3
D
3
D
B
E
B
3
0
1
4
F
9
F
E
A
C
9
1
B
6
6
1
1
3
1
7
1
v
v
w
+
v
+
1
D
A
F
0
3
9
[1
,V
],
[W
,W
4
],
[X
1
6
,X
]
2
F
8
F
E
1
9
4
C
4
2
8
0
2
B
5
6
E
5
F
A
E
4
7
A
A
3
9
0
2
B
F
B
5
F
1
D
B
E
1
F
C
5
7
2
8
4
F
E
8
6
6
1
1
3
1
F
3
v
v
w
7
1
A
A
2
6
[1
,V
],
[W
,W
4
],
[X
,X
1
6
]
7
2
8
0
6
B
0
2
2
D
6
6
6
3
9
5
4
0
F
B
2
C
4
7
2
2
C
3
1
0
C
5
1
9
A
0
A
7
8
0
7
B
E
B
5
8
B
8
E
9
6
6
1
1
3
1
F
5
v
(v
+
1
)w
+
v
5
C
C
E
3
[1
,V
],
[1
,W
4
],
[X
,X
1
6
]
B
B
7
5
9
1
2
0
A
C
4
A
3
B
8
D
8
2
B
4
1
0
B
B
D
C
4
6
6
C
1
9
6
F
D
D
1
A
8
3
9
A
7
F
B
3
9
4
F
0
6
7
1
1
3
1
6
9
v
v
w
+
1
7
F
1
3
2
[1
,V
2
],
[W
,W
4
],
[X
1
6
,X
]
8
8
8
0
7
F
8
F
2
A
D
F
1
C
0
1
4
0
E
B
6
4
F
F
C
0
3
D
A
C
0
1
1
D
4
E
8
6
0
B
C
E
6
8
6
C
C
0
D
7
6
6
1
1
4
1
3
9
v
+
1
v
w
+
v
+
1
D
4
4
B
1
3
[1
,V
],
[W
,W
4
],
[X
1
6
,X
]
F
D
A
D
8
2
4
6
7
8
0
8
4
B
3
2
9
E
B
3
C
C
7
3
0
4
1
D
B
E
0
B
E
8
B
7
4
2
6
3
4
3
9
E
1
B
0
2
F
2
6
6
1
1
4
1
6
5
v
v
w
+
1
8
9
7
3
F
C
[V
,V
2
],
[W
,W
4
],
[X
1
6
,X
]
4
7
8
2
2
8
8
D
1
2
D
D
9
C
0
1
5
B
0
7
F
7
1
3
D
7
9
D
1
B
0
1
9
A
1
A
8
A
9
F
9
B
A
2
C
D
6
7
F
C
6
6
1
1
5
1
F
9
v
v
w
+
1
C
0
B
2
8
2
[1
,V
2
],
[1
,W
4
],
[X
1
6
,X
]
B
D
2
8
8
4
2
6
C
4
8
0
F
B
C
3
0
4
2
8
B
A
4
3
F
A
2
4
8
E
A
3
3
4
0
2
6
D
0
9
9
E
4
4
E
2
2
D
D
F
6
8
1
1
7
1
D
D
v
v
w
+
v
+
1
A
1
8
B
2
2
[1
,V
],
[W
,W
4
],
[X
1
6
,X
]
D
0
D
7
9
1
D
D
A
5
F
F
C
9
8
1
D
C
7
D
3
A
2
1
7
E
3
3
2
E
D
D
7
D
D
6
2
E
E
5
2
D
1
B
3
2
B
9
F
C
6
6
1
1
7
1
D
7
v
(v
+
1
)w
3
5
7
3
5
A
[1
,V
],
[W
,W
4
],
[X
1
6
,X
]
D
7
1
E
2
F
9
E
9
3
2
0
1
4
D
4
5
0
5
3
0
4
D
9
7
E
D
B
3
C
B
D
A
0
7
5
8
D
F
7
D
E
B
5
9
B
E
0
E
E
6
6
1
1
8
20
T
a
b
le
4
:
S
u
b
se
t
of
th
e
sm
al
le
st
a
re
a-
op
ti
m
iz
ed
16
-b
it
S
-b
ox
co
n
st
ru
ct
io
n
s
fo
r
m
er
ge
d
ci
rc
u
it
im
p
le
m
en
ta
ti
on
s
fo
u
n
d
u
si
n
g
o
u
r
m
et
h
o
d
ol
og
y.
t(
v
)
1
0
1
2
F
1
0
1
8
F
1
0
1
7
5
1
0
1
5
D
Σ
v
+
1
v
+
1
v
v
Π
v
w
+
1
v
w
+
v
v
w
(v
+
1
)w
+
1
Λ
(v
w
+
1
)x
(v
w
+
1
)x
+
v
w
+
v
+
1
((
v
+
1
)w
+
v
)x
((
v
+
1
)w
+
1
)x
IF
!v
8
A
A
4
A
4
7
7
F
7
2
3
1
0
C
IF
!w
5
6
2
8
6
6
1
0
9
5
3
F
1
B
7
9
IF
!x
E
4
3
2
4
5
D
1
C
1
3
0
8
E
3
D
IF
!y
7
F
C
0
A
8
D
2
1
2
A
9
8
4
9
F
B
a
se
s
[V
,V
2
],
[1
,W
4
]
[1
,V
2
],
[1
,W
]
[1
,V
2
],
[1
,W
]
[V
,V
2
],
[1
,W
4
]
[1
,X
1
6
],
[Y
2
5
6
,Y
]
[X
,X
1
6
],
[Y
2
5
6
,Y
]
[X
,X
1
6
],
[1
,Y
2
5
6
]
[1
,X
1
6
],
[Y
,Y
2
5
6
]
T
−
1
5
6
0
4
F
C
5
A
4
1
E
6
7
B
6
4
4
A
4
0
A
8
B
E
F
6
2
D
4
8
1
C
C
7
8
8
1
6
0
8
9
0
C
9
5
C
3
8
2
6
F
A
6
A
A
C
2
E
B
8
C
0
C
5
4
6
4
4
A
2
2
6
B
8
9
D
3
E
A
F
E
5
4
2
1
0
4
0
F
B
4
1
5
6
4
B
5
8
3
7
A
A
5
A
8
B
8
C
F
7
3
5
T
A
0
3
F
9
9
8
C
2
9
E
C
E
C
A
2
6
1
A
A
8
C
6
8
D
8
9
B
A
9
2
3
2
4
7
E
3
E
D
9
5
F
5
2
5
A
5
9
8
C
2
4
6
3
D
C
0
6
1
7
A
0
B
8
2
E
C
A
F
E
8
8
0
0
5
1
8
0
3
4
6
3
F
D
0
E
D
2
C
4
7
C
0
C
0
7
0
4
0
C
E
4
3
5
D
4
0
6
4
2
8
9
M
9
F
5
A
1
1
6
3
3
3
1
0
0
C
B
3
3
A
4
6
0
4
F
D
2
7
2
A
6
6
F
E
A
C
4
F
6
9
6
A
C
9
C
4
2
7
5
E
7
D
D
C
B
A
7
7
A
6
E
A
F
2
D
2
2
B
C
5
4
2
8
7
5
B
E
4
4
4
E
C
A
F
5
A
1
B
B
5
C
C
9
E
4
C
5
5
E
7
F
1
3
9
D
7
E
3
5
8
4
A
5
D
c
1
A
2
E
8
E
A
3
3
9
F
8
F
9
D
8
In
v
er
se
3
6
7
3
7
6
3
9
0
3
6
7
T
o
ta
l
1
2
0
9
1
2
3
0
1
2
3
1
1
2
3
8
21
