TY - JOUR
T1 - Low AND Depth and efficient inverses
T2 - A guide on S-boxes for low-latency masking
AU - Bilgin, Begül
AU - De Meyer, Lauren
AU - Duval, Sébastien
AU - Levi, Itamar
AU - Standaert, François Xavier
N1 - Publisher Copyright:
© 2020, Ruhr-Universitat Bochum. All rights reserved.
PY - 2020
Y1 - 2020
N2 - In this work, we perform an extensive investigation and construct a portfolio of S-boxes suitable for secure lightweight implementations, which aligns well with the ongoing NIST Lightweight Cryptography competition. In particular, we target good functional properties on the one hand and efficient implementations in terms of AND depth and AND gate complexity on the other. Moreover, we also consider the implementation of the inverse S-box and the possibility for it to share resources with the forward S-box. We take our exploration beyond the conventional small (and even) S-box sizes. Our investigation is twofold: (1) we note that implementations of existing S-boxes are not optimized for the criteria which define masking complexity (AND depth and AND gate complexity) and improve a tool published at FSE 2016 by Stoffelen in order to fill this gap. (2) We search for new S-box designs which take these implementation properties into account from the start. We perform a systematic search based on the properties of not only the S-box but also its inverse as well as an exploration of larger S-box sizes using length-doubling structures. The result of our investigation is not only a wide selection of very good S-boxes, but we also provide complete descriptions of their circuits, enabling their integration into future work.
AB - In this work, we perform an extensive investigation and construct a portfolio of S-boxes suitable for secure lightweight implementations, which aligns well with the ongoing NIST Lightweight Cryptography competition. In particular, we target good functional properties on the one hand and efficient implementations in terms of AND depth and AND gate complexity on the other. Moreover, we also consider the implementation of the inverse S-box and the possibility for it to share resources with the forward S-box. We take our exploration beyond the conventional small (and even) S-box sizes. Our investigation is twofold: (1) we note that implementations of existing S-boxes are not optimized for the criteria which define masking complexity (AND depth and AND gate complexity) and improve a tool published at FSE 2016 by Stoffelen in order to fill this gap. (2) We search for new S-box designs which take these implementation properties into account from the start. We perform a systematic search based on the properties of not only the S-box but also its inverse as well as an exploration of larger S-box sizes using length-doubling structures. The result of our investigation is not only a wide selection of very good S-boxes, but we also provide complete descriptions of their circuits, enabling their integration into future work.
KW - AND depth
KW - Lightweight cryptography
KW - Masking
KW - Multiplicative complexity
KW - S-box
UR - http://www.scopus.com/inward/record.url?scp=85084861083&partnerID=8YFLogxK
U2 - 10.13154/tosc.v2020.i1.144-184
DO - 10.13154/tosc.v2020.i1.144-184
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85084861083
SN - 2519-173X
VL - 2020
SP - 144
EP - 184
JO - IACR Transactions on Symmetric Cryptology
JF - IACR Transactions on Symmetric Cryptology
IS - 1
ER -