Searching the space of tower field implementations of the 𝔽<SUB align="right">2<SUP align="right">8</SUP> inverter - with applications to AES, Camellia and SM4

The tower field implementation of the 𝔽 2 8 inverter is not only the key technique for compact implementations of the S-boxes of several internationally standardised block ciphers such as AES, Camellia, and SM4, but also the underlying structure many side-channel attack resistant AES implementations rely on. In this work, we conduct an exhaustive study of the tower field representations of the 𝔽 2 8 inverter with normal bases by applying several state-of-the-art combinatorial logic minimisation techniques. As a result, we achieve improved implementations of the AES, Camellia and SM4 S-boxes in terms of area footprint. Surprisingly, we are still able to improve the currently known most compact implementation of the AES S-box from CHES 2018 by 5.5 GE, beating the record again. For Camellia and SM4, the improvements are even more significant. The Verilog codes of our implementations of the AES, Camellia and SM4 S-boxes are openly available.