A New Method for Designing Lightweight S-Boxes With High Differential and Linear Branch Numbers, and its Application

Hangi Kim,Jaechul Sung,Deukjo Hong,Seonggyeom Kim,Jongsung Kim,Bo-Yeon Sim,Giyoon Kim,Dong-Guk Han,Seokhie Hong,Yongjin Jeon,Hwajeong Seo

doi:10.1109/access.2021.3126008

Abstract

Bit permutations are efficient linear functions often used for lightweight cipher designs. However, they have low diffusion effects, compared to word-oriented binary and maximum distance separable (MDS) matrices. Thus, the security of bit permutation-based ciphers is significantly affected by differential and linear branch numbers (DBN and LBN) of nonlinear functions. In this paper, we introduce a widely applicable method for constructing S-boxes with high DBN and LBN. Our method exploits constructions of S-boxes from smaller S-boxes and it derives/proves the required conditions for smaller S-boxes so that the DBN and LBN of the constructed S-boxes are at least 3. These conditions enable us to significantly reduce the search space required to create such S-boxes. Using the unbalanced- Bridge and unbalanced- MISTY structures, we develop a variety of new lightweight S-boxes that provide not only both DBN and LBN of at least 3 but also efficient bitsliced implementations including at most 11 nonlinear bitwise operations. The new S-boxes are the first that exhibit these characteristics.

Highlights

T HE fourth industrial revolution encompasses a wide range of advanced technologies
One of its core elements is the Internet of Things (IoT), which binds together people, objects, processes, data, applications, and services
A lightweight cryptography standardization project is ongoing at NIST

Summary

INTRODUCTION

T HE fourth industrial revolution encompasses a wide range of advanced technologies. One of its core elements is the Internet of Things (IoT), which binds together people, objects, processes, data, applications, and services. We introduce a construction method for a different type of lightweight 8-bit S-boxes that are wellsuited to a linear bit permutation layer, based on which we develop many of new S-boxes with both DBN and LBN of at least 3 and with efficient masked software implementations. Our framework eliminates all the input and output differences (or masks) where the sum of their Hamming weights is two, during which some conditions of the employed smaller Sboxes are induced These conditions could accelerate the Sbox search, resulting in more than 10,000 new lightweight 8-bit S-boxes with both DBN and LBN of 3. Some of their bitsliced implementations include 11 nonlinear bitwise operations each. We found 6 and 7-bit new S-boxes with both DBN and LBN of 3 which are more efficient than existing ones

ORGANIZATION

NOTATION AND DEFINITIONS

CONCLUSION AND FUTURE WORK