Light but Tight: Lightweight Composition of Serialized S-Boxes with Diffusion Layers for Strong Ciphers

Abstract

Abstract The widespread advent of the Internet-of-Things has motivated new design strategies for lightweight block ciphers. In particular, security against traditional cryptanalysis should ideally be complemented by resistance to side-channel attacks, while adhering to low area and power requirements. In FSE 2018, Ghoshal et al. proposed a dedicated design strategy based upon Cellular Automata (CA) for S-Boxes that are amenable to side-channel secure threshold implementations. However, CA-based S-Boxes have some limitations concerning the absence of BOGI properties and low branch numbers making them vulnerable to classical cryptanalysis attacks. In this paper, we address the vulnerabilities of these weak S-Boxes by complementing them with an ultra-lightweight linear layer and subsequently building (Light but Tight) \(\textsf {LbT} \) - the area-efficient and side-channel resilient family of block ciphers. This super-optimal cellular automata (CA)-rule-based S-Box layer is appropriately complemented with a linear layer consisting of shuffle cells and matrix multiplication with an ultra-lightweight almost-MDS matrix with only 6-XOR gates. This ensures high diffusion at the cost of a minimal area overhead. Hence, we show that these vulnerable S-Boxes are not weak but when complemented appropriately with proper linear layer can lead to cryptographically strong as well as lightweight cipher design. Overall, the TI-protected circuit of \(\textsf {LbT} \) requires an area footprint of only 3063 GE, which is \(12\%\) lower than any first-order side-channel protected implementation among all of the existing lightweight block ciphers. Finally, we illustrate that LbT-64-128 obtains a reasonable throughput when compared to other lightweight block ciphers.KeywordsBlock cipherLightweightSide channel resistanceCellular automataThreshold implementation