Abstract
Multiplicative complexity of S-box is the minimum number of 2-input AND-gates required to implement the S-box in AND, XOR, NOT logic. We show that under an affine equivalence there is only a single class of bijective n×n S-boxes with multiplicative complexity 1. Furthermore, we show that each bijective 4×4 S-box has multiplicative complexity at most 5. Finally, we refine the bounds on the multiplicative complexity of each affine class of bijective 4×4 S-boxes.
Similar content being viewed by others
Notes
Λ n is a proper representative of its class, if x 1/f 1 denotes the least significant bit of the corresponding encoding of inputs/outputs.
All possible constants can be moved to the linear part of the circuit.
Each node had a different fixed value c n+1, but each node produced the same set, so there are still potential reductions of the search space.
We remark that this set also contains all 3374 classes of constant-free S-boxes under linear equivalence.
References
Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., Stütz, G.: Threshold implementations of all 3×3 and 4×4 S-boxes. In: Prouff, E., Schaumont, P. (eds.) CHES, Lecture Notes in Computer Science, vol. 7428, pp. 76–91. Springer (2012)
Biryukov, A., Cannière, C.D., Braeken, A., Preneel, B.: A toolbox for cryptanalysis: Linear and affine equivalence algorithms. In: Biham, E. (ed.) Advances in Cryptology – EUROCRYPT 2003, Lecture Notes in Computer Science, vol. 2656, pp. 33–50. Springer-Verlag. doi: 10.1007/3-540-39200-9_3 (2003)
Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES, Lecture Notes in Computer Science, vol. 4727, pp. 450–466. Springer (2007)
Boyar, J., Peralta, R.: Tight bounds for the multiplicative complexity of symmetric functions. Theor. Comput. Sci. 396(1–3), 223–246 (2008). doi: 10.1016/j.tcs.2008.01.030
Boyar, J., Peralta, R.: A new combinational logic minimization technique with applications to cryptology. SEA, 178–189 (2010)
Cannière, C.D.: Analysis and design of symmetric encryption algorithms. Ph.D. thesis, Katholieke Universiteit Leuven (2007)
Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for s-boxes. In: Fast Software Encryption, pp. 366–384. Springer (2012)
Cenk, M., Özbudak, F.: On multiplication in finite fields. J. Complex. 26(2), 172–186 (2010). doi: 10.1016/j.jco.2009.11.002, http://www.sciencedirect.com/science/article/pii/S0885064X09001095
Courtois, N., Hulme, D., Mourouzis, T.: Solving circuit optimisation problems in cryptography and cryptanalysis. Cryptology ePrint Archive. Report 2011/475 (2011)
Eisenbarth, T., Kumar, S.: A survey of lightweight-cryptography implementations, Vol. 24, pp 522–533 (2007)
Fischer, M., Peralta, R.: Counting predicates of conjunctive complexity one. Tech. Rep. YALEU/DCS/TR1222, Yale University (2001)
Leander, G., Poschmann, A.: On the classification of 4 bit S-boxes. In: Carlet, C., Sunar, B. (eds.) Arithmetic of Finite Fields, Lecture Notes in Computer Science, vol. 4547, pp. 159–176. Springer Berlin / Heidelberg (2007), doi: 10.1007/978-3-540-73074-3_13
Lidl, R., Niederreiter, H.: Finite Fields, Encyclopedia of Mathematics and its Applications, Vol. 20. Addison-Wesley, Reading, Massachussetts (1983)
Mirwald, R., Schnorr, C.: The multiplicative complexity of quadratic boolean forms. Theor. Comput. Sci. 102(2), 307–328 (1992). doi: 10.1016/0304-3975(92)90235-8, http://www.sciencedirect.com/science/article/pii/0304397592902358
Roy, A., Vivek, S.: Analysis and improvement of the generic higher-order masking scheme of fse 2012. Cryptology ePrint Archive, Report 2013/345. http://eprint.iacr.org/(2013)
Saarinen, M.J.O.: Cryptographic analysis of all 4×4 - bit S-boxes. In: Miri, A., Vaudenay, S. (eds.) Selected Areas in Cryptography, Lecture Notes in Computer Science, vol. 7118, pp. 118–133. Springer (2011)
Schnorr, C.: The multiplicative complexity of boolean functions. In: Mora, T. (ed.) Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, Lecture Notes in Computer Science, vol. 357, pp. 45–58. Springer Berlin / Heidelberg. 10.1007/3-540-51083-4_47 (1989)
Ullrich, M., Cannière, C.D., Indesteege, S., Küçük, O., Mouha, N., Preneel, B.: Finding optimal bitsliced implementations of 4 x 4-bit S-boxes. In: Symmetric Key Encryption Workshop. 20 (2011)
Zajac, P.: A new method to solve mrhs equation systems and its connection to group factorization. J. Math. Cryptol. 7(4), 279–381 (2013). doi: 10.1515/jmc-2013-5012
Author information
Authors and Affiliations
Corresponding author
Additional information
This research was supported by grants APVV-0513-10 and APVV-0586-11.
Appendix
Appendix
1.1 List of S-boxes
For each class of S-box we list its number according to [1] (we only list class number), its representative in hexadecimal notation (first normalized S-box in lexicographic order, prefix 01234 was removed to compress space), (upper bound on) multiplicative complexity, and the constructive proof of MC. The proof is either by composition of two S-boxes with lower MC, or by writing down coefficients of expansion-compression construction for an S-box in the given class (we do not provide a proof of affine equivalence with the representative). The expansion-compression proof was required for 2 S-boxes with M C(S)=2, 5 S-boxes with M C(S)=3, and 25 S-boxes with M C(S)=4.
The format of expansion-compression proof:
-
1.
Four (single-digit) hex numbers encode vectors c n+1⋯c n+4,
-
2.
Eight (two-digit) hex numbers encode vectors b 1,b 2 for E 4,E 5,E 6,E 7.
The format of composition proof S 2∘A∘S 1:
-
1.
S 1 is representative of the first listed class;
-
2.
A is always linear transformation, encoded by 4 hexadecimal numbers, the images of 1,2,4,8 in this order (1 encodes e (1)).
-
3.
S 2 is representative of the second listed class;
Rights and permissions
About this article
Cite this article
Zajac, P., Jókay, M. Multiplicative complexity of bijective 4×4 S-boxes. Cryptogr. Commun. 6, 255–277 (2014). https://doi.org/10.1007/s12095-014-0100-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-014-0100-y