Low AND Depth and efficient inverses: A guide on S-boxes for low-latency masking

Begül Bilgin; Lauren De Meyer; Sébastien Duval; Itamar Levi; François Xavier Standaert

doi:10.13154/tosc.v2020.i1.144-184

Low AND Depth and efficient inverses: A guide on S-boxes for low-latency masking

Begül Bilgin, Lauren De Meyer, Sébastien Duval, Itamar Levi, François Xavier Standaert

Research output: Contribution to journal › Article › peer-review

30 Scopus citations

Abstract

In this work, we perform an extensive investigation and construct a portfolio of S-boxes suitable for secure lightweight implementations, which aligns well with the ongoing NIST Lightweight Cryptography competition. In particular, we target good functional properties on the one hand and efficient implementations in terms of AND depth and AND gate complexity on the other. Moreover, we also consider the implementation of the inverse S-box and the possibility for it to share resources with the forward S-box. We take our exploration beyond the conventional small (and even) S-box sizes. Our investigation is twofold: (1) we note that implementations of existing S-boxes are not optimized for the criteria which define masking complexity (AND depth and AND gate complexity) and improve a tool published at FSE 2016 by Stoffelen in order to fill this gap. (2) We search for new S-box designs which take these implementation properties into account from the start. We perform a systematic search based on the properties of not only the S-box but also its inverse as well as an exploration of larger S-box sizes using length-doubling structures. The result of our investigation is not only a wide selection of very good S-boxes, but we also provide complete descriptions of their circuits, enabling their integration into future work.

Original language	English
Pages (from-to)	144-184
Number of pages	41
Journal	IACR Transactions on Symmetric Cryptology
Volume	2020
Issue number	1
DOIs	https://doi.org/10.13154/tosc.v2020.i1.144-184
State	Published - 2020

Bibliographical note

Publisher Copyright:
© 2020, Ruhr-Universitat Bochum. All rights reserved.

Funding

This work was partly supported by CyberSecurity Research Flanders with reference number VR20192203. Lauren De Meyer is funded by a PhD fellowship of the Fund for Scientific Research - Flanders (FWO). François-Xavier Standaert is a senior research associate of the Belgian Fund for Scientific Research (F.R.S.-FNRS). This work has been funded in parts by the European Union through the ERC project SWORD (724725), the H2020 project REASSURE and the European Union and Walloon Region FEDER USERMedia project 501907-3791. This work was partly supported by CyberSecurity Research Flanders with reference number VR20192203. Lauren De Meyer is funded by a PhD fellowship of the Fund for Scientific Research-Flanders (FWO). Fran?ois-Xavier Standaert is a senior research associate of the Belgian Fund for Scientific Research (F.R.S.-FNRS). This work has been funded in parts by the European Union through the ERC project SWORD (724725), the H2020 project REASSURE and the European Union and Walloon Region FEDER USERMedia project 501907-3791.

Funders	Funder number
CyberSecurity Research Flanders	VR20192203
European Union and Walloon Region FEDER USERMedia	501907-3791
F.R.S.-FNRS
Fund for Scientific Research - Flanders
Fund for Scientific Research-Flanders
Horizon 2020 Framework Programme
European Commission
European Commission	724725
Fonds Wetenschappelijk Onderzoek

Keywords

AND depth
Lightweight cryptography
Masking
Multiplicative complexity
S-box

Access to Document

10.13154/tosc.v2020.i1.144-184

Cite this

@article{6f6527ed18164862bf1ac20e52586450,

title = "Low AND Depth and efficient inverses: A guide on S-boxes for low-latency masking",

abstract = "In this work, we perform an extensive investigation and construct a portfolio of S-boxes suitable for secure lightweight implementations, which aligns well with the ongoing NIST Lightweight Cryptography competition. In particular, we target good functional properties on the one hand and efficient implementations in terms of AND depth and AND gate complexity on the other. Moreover, we also consider the implementation of the inverse S-box and the possibility for it to share resources with the forward S-box. We take our exploration beyond the conventional small (and even) S-box sizes. Our investigation is twofold: (1) we note that implementations of existing S-boxes are not optimized for the criteria which define masking complexity (AND depth and AND gate complexity) and improve a tool published at FSE 2016 by Stoffelen in order to fill this gap. (2) We search for new S-box designs which take these implementation properties into account from the start. We perform a systematic search based on the properties of not only the S-box but also its inverse as well as an exploration of larger S-box sizes using length-doubling structures. The result of our investigation is not only a wide selection of very good S-boxes, but we also provide complete descriptions of their circuits, enabling their integration into future work.",

keywords = "AND depth, Lightweight cryptography, Masking, Multiplicative complexity, S-box",

author = "Beg{\"u}l Bilgin and {De Meyer}, Lauren and S{\'e}bastien Duval and Itamar Levi and Standaert, {Fran{\c c}ois Xavier}",

year = "2020",

doi = "10.13154/tosc.v2020.i1.144-184",

language = "אנגלית",

volume = "2020",

pages = "144--184",

journal = "IACR Transactions on Symmetric Cryptology",

issn = "2519-173X",

publisher = "Ruhr-University of Bochum",

number = "1",

}

TY - JOUR

T1 - Low AND Depth and efficient inverses

T2 - A guide on S-boxes for low-latency masking

AU - Bilgin, Begül

AU - De Meyer, Lauren

AU - Duval, Sébastien

AU - Levi, Itamar

AU - Standaert, François Xavier

PY - 2020

Y1 - 2020

N2 - In this work, we perform an extensive investigation and construct a portfolio of S-boxes suitable for secure lightweight implementations, which aligns well with the ongoing NIST Lightweight Cryptography competition. In particular, we target good functional properties on the one hand and efficient implementations in terms of AND depth and AND gate complexity on the other. Moreover, we also consider the implementation of the inverse S-box and the possibility for it to share resources with the forward S-box. We take our exploration beyond the conventional small (and even) S-box sizes. Our investigation is twofold: (1) we note that implementations of existing S-boxes are not optimized for the criteria which define masking complexity (AND depth and AND gate complexity) and improve a tool published at FSE 2016 by Stoffelen in order to fill this gap. (2) We search for new S-box designs which take these implementation properties into account from the start. We perform a systematic search based on the properties of not only the S-box but also its inverse as well as an exploration of larger S-box sizes using length-doubling structures. The result of our investigation is not only a wide selection of very good S-boxes, but we also provide complete descriptions of their circuits, enabling their integration into future work.

AB - In this work, we perform an extensive investigation and construct a portfolio of S-boxes suitable for secure lightweight implementations, which aligns well with the ongoing NIST Lightweight Cryptography competition. In particular, we target good functional properties on the one hand and efficient implementations in terms of AND depth and AND gate complexity on the other. Moreover, we also consider the implementation of the inverse S-box and the possibility for it to share resources with the forward S-box. We take our exploration beyond the conventional small (and even) S-box sizes. Our investigation is twofold: (1) we note that implementations of existing S-boxes are not optimized for the criteria which define masking complexity (AND depth and AND gate complexity) and improve a tool published at FSE 2016 by Stoffelen in order to fill this gap. (2) We search for new S-box designs which take these implementation properties into account from the start. We perform a systematic search based on the properties of not only the S-box but also its inverse as well as an exploration of larger S-box sizes using length-doubling structures. The result of our investigation is not only a wide selection of very good S-boxes, but we also provide complete descriptions of their circuits, enabling their integration into future work.

KW - AND depth

KW - Lightweight cryptography

KW - Masking

KW - Multiplicative complexity

KW - S-box

UR - http://www.scopus.com/inward/record.url?scp=85084861083&partnerID=8YFLogxK

U2 - 10.13154/tosc.v2020.i1.144-184

DO - 10.13154/tosc.v2020.i1.144-184

M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???

AN - SCOPUS:85084861083

SN - 2519-173X

VL - 2020

SP - 144

EP - 184

JO - IACR Transactions on Symmetric Cryptology

JF - IACR Transactions on Symmetric Cryptology

IS - 1

ER -

Low AND Depth and efficient inverses: A guide on S-boxes for low-latency masking

Abstract

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this