J Electron Test (2009) 25:225–245 DOI 10.1007/s10836-009-5108-4 Fault Detection Structures of the S-boxes and the Inverse S-boxes for the Advanced Encryption Standard Mehran Mozaffari-Kermani · Arash Reyhani-Masoleh Received: 28 April 2008 / Accepted: 1 July 2009 / Published online: 17 July 2009 © Springer Science + Business Media, LLC 2009 Abstract Fault detection schemes for the Advanced Encryption Standard are aimed at detecting the in- ternal and malicious faults in its hardware imple- mentations. In this paper, we present fault detection structures of the S-boxes and the inverse S-boxes for designing high performance architectures of the Ad- vanced Encryption Standard. We avoid utilizing the look-up tables for implementing the S-boxes and the inverse S-boxes and their parity predictions. Instead, logic gate implementations based on composite fields are used. We modify these structures and suggest new fault detection schemes for the S-boxes and the in- verse S-boxes. Using the closed formulations for the predicted parity bits, the proposed fault detection struc- tures of the S-boxes and the inverse S-boxes are simu- lated and it is shown that the proposed schemes detect all single faults and almost all random multiple faults. We have also synthesized the modified S-boxes, inverse S-boxes, mixed S-box/inverse S-box structures, and the whole AES encryption using the 0.18μ CMOS technol- ogy and have obtained the area, delay, and power con- sumption overheads for their fault detection schemes. Furthermore, the fault coverage and the overheads in terms of the space complexity and time delay are compared to those of the previously reported ones. Responsible Editor: M. Goessel M. Mozaffari-Kermani (B ) · A. Reyhani-Masoleh Department of Electrical and Computer Engineering, The University of Western Ontario, London, Ontario, Canada e-mail: mmozaff@uwo.ca A. Reyhani-Masoleh e-mail: areyhani@uwo.ca Keywords Advanced encryption standard · Fault detection structures · Parity prediction · S-box · Inverse S-box 1 Introduction The Advanced Encryption Standard (AES) is recently approved by NIST (National Institute of Standards and Technology) [10] as a replacement for the previous standards because of its good characteristics in terms of security, cost, and efficient implementations [10]. In encryption, the AES accepts a 128-bit plain text input. The key can be specified to be 128 (AES-128), 192 or 256 bits. In the AES-128, the cipher text is generated after ten rounds, where, each round consists of four transformations except for the final round which has three transformations. The decryption algorithm trans- forms the cipher text to the original plain text using the reverse procedure [10]. Each transformation in every round of encryp- tion/decryption acts on its 128-bit input which is consid- ered as a four by four matrix, called state, whose entries are eight bits. The transformations in each round of encryption except for the last round are as follows: – SubBytes: The first transformation in each round is the bytes substitution, called SubBytes, which is implemented by 16 S-boxes. These S-boxes are nonlinear transformations which substitute the 128- bit input state with a 128-bit output state. – ShiftRows: ShiftRows is the second transformation in which the four bytes of the rows of the input state are cyclically shifted to the left. The number of left shifts for each row is equal to the number