Figure - uploaded by Sébastien Duval
Content may be subject to copyright.
Source publication
In this work, we perform an extensive investigation and construct a portfolio of S-boxes suitable for secure lightweight implementations, which aligns well with the ongoing NIST Lightweight Cryptography competition. In particular, we target good functional properties on the one hand and efficient implementations in terms of AND depth and AND gate c...
Contexts in source publication
Context 1
... by composing quadratic functions, we can obtain higher-degree S-boxes with AND depth exactly two. This was done for example in [DB18, Table 7]. It is shown that the quartic APN function (x 15 ) can be decomposed using classes 74 and 75 from [BBS17], i.e. has AND depth two. ...Similar publications
With the rapid growth of the internet of things (IoT), resource-constrained devices have become an integral part of our daily lives. Public key encryption with keyword search (PEKS) enables users to search over encrypted data without revealing sensitive information. However, the computational and memory constraints of these devices pose challenges...
Abstract Multilevel and compartmented access structures are two important classes of access structures where participants are grouped into levels/compartments with different degrees of trust and privileges. The construction of secret sharing schemes for such access structures has been the attention of researchers for a long time. Two main approache...
In this paper, we propose a brand-new chaotic encryption model that defines operations based on the data, which named Diffractive Encryption. We take a specific encryption algorithm as an example to prove the excellent effect and high security of the model. Unlike the existing encryption methods, the ciphertext generated by our encryption model har...
Quantum key distribution (QKD) features fundamentally proven security and offers a promising option for post-quantum cryptography and future quantum repeater technology. Qubit-based QKD protocols based on binary encoding are limited by a secret key capacity of at most one bit per photon. In contrast, qudit-based QKD protocols that can transmit more...
All programming languages have a built-in function
for Pseudo-Random Number Generators (PRNGs) for the ease of
programmers. The algorithms used to generate Pseudo-Random
Numbers (PRNs) are mainly focused on time complexity. The
question we are interested in is to check if the PRNs generated
using these inbuilt functions are good enough for the use...
Citations
... The S-box is the only nonlinear component in most block ciphers, and thus the implementation of which determines the performance of the overall implementation of the cipher. To optimize implementation of the S-box under different metrics, various tools have been proposed for small S-boxes, such as the ones in [40][41][42] for hardware implementation and the ones in [43,44] for quantum implementation. Note that the public tools LIGHTER [40] and LIGHTER-R [43] have also been used to design quantum circuits for components of large S-boxes [25,[29][30][31]45]. ...
... where z 0 = t 31 · y 4 , z 1 = t 47 · y 9 , z 2 = t 42 · y 5 , z 3 = t 44 · y 15 , z 4 = t 45 · y 13 , z 5 = t 46 · y 11 , z 6 = t 35 · y 6 , z 7 = t 43 · y 17 , z 8 = t 39 · y 7 , z 9 = t 31 · y 0 , z 10 = t 47 · y 8 , z 11 = t 42 · y 1 , z 12 = t 44 · y 14 , z 13 = t 45 · y 12 , z 14 = t 46 · y 10 , z 15 = t 35 · y 2 , z 16 = t 43 · y 16 , z 17 = t 39 · y 3 , and t 43 , ..., t 47 are linear related to t 31 , t 35 , t 39 and t 42 . ...
... Assume that z 0 , ..., z 17 are calculated in parallel, the implementation of H 3 can be completed in an And-depth of 1.AND-depth-2 circuit of H 2 The maximal algebraic degree of the ANFs of outputs of the 4-bit S-box corresponds to H 2 is 3, which means that H 2 can be implemented in an And-depth of 2 if the only nonlinear logic gate is the 2-input And gate. By applying the SAT-based heuristic proposed in[42], the following And-depth-2 implementation of H 2 can be obtained, where (t 20 , t 22 , t 24 , t 26 ) and (t 31 , t 35 , t 39 , t 42 ) are the input and output of H 2 , respectively, and q i (i = 0, ...,13) and v j ( j = 0, ..., 6) are the input and output of the And gate, respectively. ...
The rapid development of quantum technology challenges the security of modern cryptography, which causes concern from the cryptographic community about the quantum implementation of cryptographic algorithms, as it is an important component of many quantum attacks. In this paper, the construction of quantum circuits for Camellia block cipher is investigated. Firstly, a 4-bit S-box is derived from the hardware circuit of the Camellia S-box, which divides the S-box circuit into three parts. Then, based on the rearranged circuit, as well as the implementation of the CCCNOT gate, the construction of the NCT-based circuit for the Camellia S-box is researched. Meanwhile, combined with the observations on the rearranged S-box circuit and the discussion on the in-place implementation of different matrices, a quantum circuit for the Camellia S-box with lower T-depth is presented. As an application, the various S-box circuits are used to construct quantum circuits for the Camellia family. The results reveal that the memory-efficient and depth-efficient quantum circuits of Camellia can be constructed with lower T-depth and T·M\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T\cdot M$$\end{document} value. Besides, for each instance of Camellia, compared with existing state-of-the-art implementation with lowest T-depth and T·M\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T\cdot M$$\end{document} value, the depth-efficient circuit designed in this work only costs about 35% of the qubits.
... Moreover, the AND depth has a significant impact on the latency of hardware implementations prone to glitches [35], since nonlinear layers need to be separated by a register stage which causes increase in the number of clock cycles. So, as mentioned in [6], low AND depth and low AND gate count are new requirements of S-boxes when efficient masked implementations are needed for SCA-efficient primitives. ...
... In the case of 8-bit permutations, they share the same lower bound L ≥ 64, while the 3-round Feistel structure reaches a bound δ ≥ 8, lower than Misty networks with δ ≥ 16. Recently, Bilgin et al. [6] proposed the new structure bridge which can be considered as a combination of Feistel and Misty networks. They observed that the bridge structure seems to have a lower AND depth with similar cryptographic properties by examples and conjectured that the bounds δ ≥ 2δ(S i ) and L ≥ 4L(S i ) also hold for the bridge structure. ...
... In this paper, we further study the bridge structure to investigate their cryptographic properties as well as the gate count and AND depth. For the cryptographic properties, we apply a similar method as that in [10,28] to prove the bounds conjectured in [6]. However, we observe that such bounds are not always tight for a specific n. ...
In ToSC 2020, Bilgin et al. proposed a new structure called bridge to construct S-boxes with low AND depth for low-latency masking. In this paper, we investigate the bridge structure in detail. Firstly, we prove the conjecture made by Bilgin et al. which is about lower bounds on the differential uniformity and linearity for the 2n-bit bridge structure. However, the bounds are not always tight for a specific n. In particular, for 8-bit permutations with the bridge structure, we further prove that the tight lower bounds on the differential uniformity and linearity are 16 and 64, respectively. Then, we find the best implementations of such 8-bit permutations which reach the tight bounds for low-latency masking. We derive that, without global optimization, the optimal 8-bit permutations with 3-round balanced Feistel or Misty networks both require at least 12 AND gates with AND depth 4. While the optimal 8-bit permutations with the bridge structure require 12 AND gates with only AND depth 3. In addition, we propose a new unbalanced bridge structure with 2n-1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2n-1$$\end{document}, 2n and 2n+1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2n+1$$\end{document}-bit components for the first time. Applying this structure, we can even construct an 8-bit S-box and its inverse with notable AND depths 2 and 3, which is, as far as we know, the lowest AND depth for 8-bit S-boxes with differential uniformity 16 and linearity 64.
... Side-channel protection by masking countermeasures has quadratic cost factors associated with the desired security level which are dominated by vector-multiplications [5,9,10,13,15,24]. Masking implementations are also quite expensive and complicated due to randomness handling (refreshes) and volume (generation) [5,25]. ...
... Side-channel protection by masking countermeasures has quadratic cost factors associated with the desired security level which are dominated by vector-multiplications [5,9,10,13,15,24]. Masking implementations are also quite expensive and complicated due to randomness handling (refreshes) and volume (generation) [5,25]. However, all inherent masking assumptions theoretically provide exponential security at "only" a polynomial (quadratic) cost. ...
Efficient implementations of software masked designs constitute both an important goal and a significant challenge to Side Channel Analysis attack (SCA) security. In this paper we discuss the shortfall between generic C implementations and optimized (inline-) assembly versions while providing a large spectrum of efficient and generic masked implementations for any order, and demonstrate cryptographic algorithms and masking gadgets with reference to the state of the art. Our main goal is to show the prime performance gaps we can expect between different implementations and suggest how to harness the underlying hardware efficiently, a daunting task for various masking-orders or masking algorithm (multiplications, refreshing etc.). This paper focuses on implementations targeting wide vector bitsliced designs, such as the ISAP algorithm. We explore concrete instances of implementations utilizing processors enabled by wide-vector capability extensions of the AMD64 Instruction Set Architecture (ISA); namely, the SSE2/3/4.1, AVX-2 and AVX-512 Streaming Single Instruction Multiple Data extensions. These extensions mainly enable efficient memory level parallelism and provide a gradual reduction in computation-time as a function of the level of extension and the hardware support for instruction-level parallelism. For the first time we provide a complete open-source repository of such gadgets tailored for these extensions, various gadgets types and for all orders. We evaluate the disparities between generic\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$ generic $$\end{document} high-level language masking implementations for optimized (inline-) assembly and conventional single execution path data-path architectures such as the ARM architecture. We underscore the crucial trade-off between state storage in the data-memory as compared to keeping it in the register-file (RF). This relates specifically to masked designs, and is particularly difficult to resolve because it requires inline-assembly manipulations and is not natively supported by compilers. Moreover, as the masking order (d) increases and the state gets larger, there must be an increase in data memory read/write accesses for state handling since the RF is simply not large enough. This requires careful optimization which depends to a considerable extent on the underlying algorithm to implement. We discuss how full utilization of SSE extensions is not always possible; i.e. when d is not a power of two, and pin-point the optimal d values and very sub-optimal values of d which aggressively under-utilize the hardware. More generally, this paper presents several different fully generic masked implementations for any order or multiple highly optimized (inline-) assembly instances which are quite generic (for a wide spectrum of ISAs and extensions), and provide very specific implementations targeting specific extensions. The goal is to promote open-source availability, research, improvement and implementations relating to SCA security and masked designs. The building blocks and methodologies provided here are portable and can be easily adapted to other algorithms.
... Examples of such properties are SNR(DPA) Guilley et al. (2004), transparency order Prouff (2005), confusion coefficient variance Picek et al. (2014) modified transparency order Chakraborty et al. (2017), revised transparency order Li et al. (2020) and non-absolute indicator Carlet et al. (2020). Although they cannot be count as a countermeasure, like masking Golić and Tymen (2002); Bilgin et al. (2020), S-boxes having a good value of these properties show some resistance against power attacks. ...
The design of substitution boxes having built-in resistance against side-channel attacks is an active field of research. In the course of the last ten years several theoretical properties of substitution boxes to measure this resistance have been enunciated being the confusion coefficient variance one of the most relevant. The majority of the substitution boxes generated under the confusion coefficient variance criteria shows, indeed, a certain level of resistance against a correlation power analysis, however they are conceived only for the encryption process while its inverse, which is used for decryption, is often not taken into account. This may result in a vulnerability of the algorithm during the decryption process. In this paper we conduct an analysis of the built-in resistance of 8-bit substitution boxes and their inverses in a side-channel scenario using the state of the art results in this topic. Moreover, we introduce a new method for generating high nonlinear substitution boxes having theoretical built-in resistance against correlation power analysis as well as their inverses.
... KECCAK-like S-boxes 10 23,24,3,14,20,9,30,19,10,17,28,2,11,5,4,29,8,12,21,6,13,18,1,27,25,22,16,15,0,7,31,26 12,5,21,14,3,20,30,15,22,1,9,27,26,0,23,28,24,18,19,11,29,2,8,17,6,31,13,16,7,25,4,10 22,30,21,25,11,20,31,2,26,5,12,29,4,8,6,7,1,0,3,13,28,14,16,27,19,10,15,18,24,23,9,17 ASCON-like S-boxes 0 24,9,27,6,3,31,22,1,20,30,8,5,10,21,15,16,4,19,23,12,28,0,13,26,7,11,25,18,17,14,2,29 23,28,15,16,2,1,21,30,25,19,18,12,11,8,13,6,24,14,0,3,5,29,10,27,4,7,31,9,26,22,20,17 3,13,26,22,17,2,15,21,0,23,12,9,20,25,30,10,27,14,4,29,28,8,1,18,7,24,16,19,31,6,11,5 New S-box 2 0 22, 15,16,9,27,3,5,6,1,21,30,18,28,8,10,29,14,0,13,26,24,20,17,31,19,12,7,25,11,23,4,2 PRESENT's DDT into an SMT problem. Then, we describe the property of no fixed point as constraint. ...
... On the other hand, some SAT-based works can optimize the implementation of an S-box [12,34,40]. We can combine our method with them to build a SAT-based tool for designing an S-box with good cryptographic properties and efficient hardware implementation. ...
The substitution box (S-box) is an important nonlinear component in most symmetric cryptosystems and thus should have good properties. Its difference distribution table (DDT) and linear approximation table (LAT) affect the security of the cipher against differential and linear cryptanalysis. In most previous work, differential uniformity and linearity of an S-box are two primary cryptographic properties to impact the resistance against differential and linear attacks. In some cases, the branch number and fixed point are also be considered. However, other important cryptographic properties such as the frequency of differential uniformity (resp. linearity) and the number of Bad Input and Bad Output (BIBO) patterns in DDT (resp. LAT) are often ignored. These properties substantially affect lightweight cryptography based on substitution bit permutation networks (SbPN) such as PRESENT, GIFT and RECTANGLE. This paper introduces a new method to search for S-boxes satisfying all above criteria simultaneously. In our strategy, we transform the process of searching for S-boxes under certain constraints on cryptographic properties into a satisfiability (SAT) problem. As applications, we use our new approach to search out 4-bit and 5-bit S-boxes with the same or better cryptographic properties compared with the S-boxes from well-known ciphers. Finally, we also utilize our method to verify a conjecture proposed by Boura et al. in the case of all 3-bit and 4-bit S-boxes. We propose a proposition and two corollaries to reduce the search space in this verification.
... Side-channel protection by masking countermeasures bare asymptotic quadratic cost factors with the desired security-level or #number of shares (d) dominated by vectormultiplications [6]- [11]. Masking implementations are also quite expensive and complicated due to randomness handling (refreshes) and their amount (generation) [11], [12]. ...
... Side-channel protection by masking countermeasures bare asymptotic quadratic cost factors with the desired security-level or #number of shares (d) dominated by vectormultiplications [6]- [11]. Masking implementations are also quite expensive and complicated due to randomness handling (refreshes) and their amount (generation) [11], [12]. However, considering all inherent masking assumptions take place, theoretically the masking approach provides exponential security with ''only'' polynomial-cost (quadratic) as d increase. ...
In this paper we formulate and re-evaluate a recently proposed randomization-based side-channel protection mechanism. The strength of the construction lies with its ability to comply with standard digital design flows and that it provides a security parameter which directly links side-channel security metrics. A detailed leakage model is provided and investigated for the first time, and it is linked to electronic parameters of the randomization mechanism. We develop guidelines and optimization for concrete ASIC constructions, and sheds light on this ultra low-cost leakage-randomization mechanism. The proposed circuit is natural to be utilized without or on top of the popular masking countermeasures. It is demonstrated to be considerably more efficient in terms of attack data-complexity as compared to low-order masking (i.e., number of shares
$d=2$
). In addition, seemingly it is a nice and necessary fit to increase the noise when a too low-noise environment is expected, which impedes masking’s theoretical security. Finally, it is discussed that the proposed mechanism is natural to be embedded with masked designs for higher security-levels (
$d> 2$
) while lowering significantly their asymptotically quadratic area price-tag as
$d$
increase. Robustness results are provided along with post place & route cost estimations for both AES encryption and a more recently proposed permutation such as ISAP. Our design efficiently provides unprecedented three orders-of-magnitude signal-to-noise reduction with a total area-overhead of 21% and 46% for AES and Ascon-
$\rho $
, respectively. These factors are more cost-efficient than low-orders masked designs and such mechanisms are sometimes necessary when the inherent noise is not sufficient. However, the joint embedding of the proposed mechanism with masked designs potentially exponentially improve the security level they provide, all whilst enabling electronic-design friendly security mechanism.
... These methods typically rely on one of the Feistel, Lai-Massey, or (unbalanced-)MISTY structures, as depicted in Fig. 1-(A), (B), and (C), respectively [6], [10], [12], [13], [23]- [25]. The unbalanced-Bridge structure ( Fig. 1-(D)) was mentioned in [26], but an S-box constructed using it has not been presented so far. In Fig. 1, S j i represents the j-th and i-bit S-box. ...
... Table 1 and Listing 3 show that this S-box can be implemented with fewer operations than the S-box adopted by Fantomas. Also, in [26], it was mentioned that the S-box constructed through unbalanced-Bridge seems to give bad cryptanalytic properties, but we could find more than 8,000 of S-boxes satisfying criteria 1-3. One of them is adopted in the block cipher PIPO [20]. ...
Bit permutations are efficient linear functions often used for lightweight cipher designs. However, they have low diffusion effects, compared to word-oriented binary and maximum distance separable (MDS) matrices. Thus, the security of bit permutation-based ciphers is significantly affected by differential and linear branch numbers (DBN and LBN) of nonlinear functions. In this paper, we introduce a widely applicable method for constructing S-boxes with high DBN and LBN. Our method exploits constructions of S-boxes from smaller S-boxes and it derives/proves the required conditions for smaller S-boxes so that the DBN and LBN of the constructed S-boxes are at least 3. These conditions enable us to significantly reduce the search space required to create such S-boxes. Using the unbalanced-Bridge and unbalanced-MISTY structures, we develop a variety of new lightweight S-boxes that provide not only both DBN and LBN of at least 3 but also efficient bitsliced implementations including at most 11 nonlinear bitwise operations. The new S-boxes are the first that exhibit these characteristics.
Smart door locks pose a large number of threats such as network attacks. Its storage area and power of cipher are severely limited because the wireless nodes of smart door locks are mostly battery‐powered. Therefore, effective security solutions are urgently needed. In this paper, a new lightweight block cipher with low power named LPHD is proposed to ensure the security of the master control chip of the smart door lock terminal. We design a scheme of low power S‐box and construct the two‐stage permutation layer (TP structure) suitable for LPHD by filtering the sets of 8‐bit permutations. LPHD proposes a variant of the 8‐branch generalized Feistel structure (GFS) to realize that the bits of all branches are affected in one encryption round. The problem of slow diffusion in the standard Feistel structure is solved. The key schedule adopts the nonlinear design and reuses the encryption process of LPHD. It improves the security of the cipher and reduces hardware overhead. Moreover, we evaluate the hardware implementation and security of LPHD. The results show that LPHD for the unified encryption and decryption circuits requires only 1276 Gate Equivalents (GEs) and 1.914 W on UMC 0.18 m, which is better than other lightweight block ciphers such as SKINNY, PRESENT, and IVLBC. In summary, LPHD provides sufficient security for the master control chip of the smart door lock terminal.
The widespread advent of the Internet-of-Things has motivated new design strategies for lightweight block ciphers. In particular, security against traditional cryptanalysis should ideally be complemented by resistance to side-channel attacks, while adhering to low area and power requirements. In FSE 2018, Ghoshal et al. proposed a dedicated design strategy based upon Cellular Automata (CA) for S-Boxes that are amenable to side-channel secure threshold implementations. However, CA-based S-Boxes have some limitations concerning the absence of BOGI properties and low branch numbers making them vulnerable to classical cryptanalysis attacks. In this paper, we address the vulnerabilities of these weak S-Boxes by complementing them with an ultra-lightweight linear layer and subsequently building (Light but Tight) LbT - the area-efficient and side-channel resilient family of block ciphers. This super-optimal cellular automata (CA)-rule-based S-Box layer is appropriately complemented with a linear layer consisting of shuffle cells and matrix multiplication with an ultra-lightweight almost-MDS matrix with only 6-XOR gates. This ensures high diffusion at the cost of a minimal area overhead. Hence, we show that these vulnerable S-Boxes are not weak but when complemented appropriately with proper linear layer can lead to cryptographically strong as well as lightweight cipher design. Overall, the TI-protected circuit ofLbTrequires an area footprint of only 3063 GE, which is12%lower than any first-order side-channel protected implementation among all of the existing lightweight block ciphers. Finally, we illustrate thatLbT-64-128 obtains a reasonable throughput when compared to other lightweight block ciphers.
A cryptographic primitive with low multiplicative complexity (MC) makes various applications efficient, but it may lead to cryptographic vulnerabilities. To find a trade-off between cryptographic resistance and MC, we propose a new tool called A-box, which is constructed using AND gates. In this paper, we prove several important properties of A-boxes, which provide the theoretical lower bounds of differential uniformity and linearity of corresponding S-boxes by MC. Specifically, we show that the differential uniformity (resp. linearity) of an (n, m)-bit S-box is at least 2n−l, where its MC is ⌊n−12⌋+l\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$\lfloor \frac {n-1}{2}\rfloor +l$\end{document} (resp. m − 1 + l). Furthermore, we develop an algorithm to find S-boxes with differential uniformity equal to the bounds with respect to their MC. We improve the algorithm previously proposed by Zajac and Jókay (Cryptogr. Commun. 6(3), 255–277, 2014), which is applicable only to S-boxes of size lower than 5 bits, whereas ours can run on larger-sized S-boxes. We found a bijective (8,8)-bit S-box with differential uniformity 16, linearity 128, and 8 nonlinear gates: this has better cryptographic security than the SKINNY S-box with differential uniformity 64, linearity 128, and 8 nonlinear gates. We believe that our results provide a better understanding of the relationship between cryptographic resistance and MC of S-boxes.
