Abstract
AbstractIn this paper, we develop an S-box designing method by considering an interplay between an S-box and a linear layer, which enhances security against differential cryptanalysis. The basic idea can be found in bitslice-friendly ciphers such as Serpent and bit-permutation ciphers such as PRESENT. In those designs, S-boxes were chosen so that the branch number is not too small, which rapidly diffuses differences. We apply a similar analysis to other constructions. The first target is extended generalized Feistel networks (EGFN) and its instance Lilliput, which has an XOR layer after the standard GFN. We show that security of EGFN can be enhanced by using an S-box that does not allow any difference \(\varDelta \) to be mapped to the same \(\varDelta \) with a high probability, say \(2^{-2}\) for a 4-bit S-box. The second target is AES-like ciphers that use a binary matrix in MixColumns. We focus on the chain of differences \(\varDelta A \rightarrow \varDelta B \rightarrow \varDelta C \rightarrow \cdots \) over the S-box, where each transition occurs with a high probability. We show that security of such AES-like ciphers can be enhanced if the maximum length of the chains is short. As a proof-of-concept, we evaluate Lilliput, Midori, and SKINNY with the new S-box satisfying the property.KeywordsS-boxDesignSPNEGFNDifferential cryptanalysis
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
