Abstract
Bad Output must go to Good Input (BOGI) is the primary design strategy of GIFT , a lightweight block cipher that was presented at CHES 2017. Because this strategy obviates the need to adhere to the required conditions of S-boxes when adopting bit-permutation, cryptographic designers have more S-box choices. In this paper, we classify all 4-bit S-boxes that support BOGI, called “BOGI-applicable S-boxes,” and evaluate them in terms of the cryptographic strength and efficiency. First, we exhaustively show that only 2413 Permutation- XOR-Equivalence (PXE) classes over 4-bit S-boxes are BOGI-applicable. After refining the PXE classes with respect to the differential uniformity ( $\mathcal {U}$ ) and linearity ( $\mathcal {L}$ ), we suggest 20 “Optimal BOGI-applicable” PXE classes that provide the best ( $\mathcal {U}$ , $\mathcal {L}$ ). Our security evaluations revealed that all optimal BOGI-applicable S-boxes fulfill the security properties considered by the designers of GIFT and that the differences between them exist in the other properties. Moreover, we explore the resistance of GIFT variants against differential and linear cryptanalysis by replacing the existing S-box with other optimal BOGI-applicable S-boxes. Based on the results, we identify the best attainable resistance with the bit-permutation of GIFT-64 . Lastly, we suggest notable S-boxes that support competitive performance, jointly considering the cryptographic strength and efficiency for GIFT-64 and GIFT-128 structures, respectively.
Highlights
A large number of lightweight block ciphers adopt bitpermutation due to its negligible implementation cost in hardware
As Bad Output must go to Good Input (BOGI)-applicability is preserved in a PXE class, and it is feasible to analyze the number of PXE classes exhaustively, we present an in-depth analysis of all BOGI-applicable S-boxes
Our investigations revealed that all optimal BOGI-applicable S-boxes fulfill the security properties considered by the designers of GIFT and that the differences among the PXE classes exist with respect to the other cryptographic properties
Summary
A large number of lightweight block ciphers adopt bitpermutation due to its negligible implementation cost in hardware. Our investigations revealed that all optimal BOGI-applicable S-boxes fulfill the security properties considered by the designers of GIFT and that the differences among the PXE classes exist with respect to the other cryptographic properties. We explore the cost of implementing the optimal BOGI-applicable S-boxes in software and hardware, respectively This was achieved by adopting two well-known measures – Bitslice Gate Complexity (BGC) and Gate Equivalent Complexity (GEC). 2) SUGGESTION OF NOTABLE S-BOXES FOR GIFT We jointly consider the implementation cost and the resistance against DC and LC, and suggest notable S-boxes for the GIFT1 structures This is accomplished by deducing the best differential and linear trails by replacing the existing S-box of GIFT with optimal BOGI-applicable S-boxes. Our results show that the maximum differential probability and correlation potential of 12-round trails of GIFT-128 variants can be improved up to (−76.4, −74) from the current (−60.4, −72)
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
