Skip to main content
SpringerLink
Log in

SAND: an AND-RX Feistel lightweight block cipher supporting S-box-based security evaluations

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

We revisit designing AND-RX block ciphers, that is, the designs assembled with the most fundamental binary operations—AND, Rotation and XOR operations and do not rely on existing units. Likely, the most popular representative is the NSA cipher SIMON, which remains one of the most efficient designs, but suffers from difficulty in security evaluation. As our main contribution, we propose SAND, a new family of lightweight AND-RX block ciphers. To overcome the difficulty regarding security evaluation, SAND follows a novel design approach, the core idea of which is to restrain the AND-RX operations to be within nibbles. By this, SAND admits an equivalent representation based on a \(4\times 8\) synthetic S-box (SSb). This enables the use of classical S-box-based security evaluation approaches. Consequently, for all versions of SAND, (a) we evaluated security bounds with respect to differential and linear attacks, and in both single-key and related-key scenarios; (b) we also evaluated security against impossible differential and zero-correlation linear attacks. This better understanding of the security enables the use of a relatively simple key schedule, which makes the ASIC round-based hardware implementation of SAND to be one of the state-of-art Feistel lightweight ciphers. As to software performance, due to the natural bitslice structure, SAND reaches the same level of performance as SIMON and is among the most software-efficient block ciphers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Similar content being viewed by others

Notes

  1. For more details, we refer to the main page https://www.cryptolux.org/index.php/Lightweight_Cryptography, maintained by the CryptoLUX research group.

  2. The diffusion test codes are available at https://github.com/sand-bar/SAND-Diffusion-Test.

  3. The valid means that the entry of corresponding differential propagation pair is non-zero in DDT. Similarly, for the linear introduced later, it means that the entry of corresponding linear propagation mask pair is non-zero in LAT.

  4. We provide our source codes in https://github.com/sand-bar/SAND-Trail-Search to serve more details of these searching models, which is based on [2, 38, 66].

  5. Informally speaking, a secure shared gate satisfied the properties of correctness, non-completeness and uniformity [56, 57].

References

  1. Andreeva E., Lallemand V., Purnal A., Reyhanitabar R., Roy A., Vizár D.: ForkAE v.1. In: Submission to Round 2 of the NIST Lightweight Cryptography Standardization process (2020)

  2. Ankele R., Kölbl S.: Mind the gap—a closer look at the security of block ciphers against differential cryptanalysis. In: Selected Areas in Cryptography—SAC 2018—25th International Conference, Calgary, AB, Canada, 15–17 August 2018, Revised Selected Papers. pp. 163–190 (2018). https://doi.org/10.1007/978-3-030-10970-7_8.

  3. Ashur T., Liu Y.: Rotational cryptanalysis in the presence of constants. IACR Trans. Symmetric Cryptol. 2016(1), 57–70 (2016). https://doi.org/10.13154/tosc.v2016.i1.57-70.

    Article  Google Scholar 

  4. Avanzi R.: The QARMA block cipher family. almost MDS matrices over rings with zero divisors, nearly symmetric even-Mansour constructions with non-involutory central rounds, and search heuristics for low-latency s-boxes. IACR Trans. Symmetric Cryptol. 2017(1), 4–44 (2017). https://doi.org/10.13154/tosc.v2017.i1.4-44.

    Article  Google Scholar 

  5. Banik S., Bogdanov A., Isobe T., Shibutani K., Hiwatari H., Akishita T., Regazzoni F.: Midori: A block cipher for low energy. In: Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, 29 November–December 3, 2015, Proceedings, Part II, pp. 411–436 (2015). https://doi.org/10.1007/978-3-662-48800-3_17.

  6. Banik S., Pandey S.K., Peyrin T., Sasaki Y., Sim S.M., Todo Y.: GIFT: a small present—towards reaching the limit of lightweight encryption. In: Cryptographic Hardware and Embedded Systems—CHES 2017—19th International Conference, Taipei, Taiwan, 25–28 September 2017, Proceedings. pp. 321–345 (2017). https://doi.org/10.1007/978-3-319-66787-4_16.

  7. Banik S., Bao Z., Isobe T., Kubo H., Liu F., Minematsu K., Sakamoto K., Shibata N., Shigeri M.: WARP: Revisiting GFN for lightweight 128-bit block cipher. In: IACR Cryptology ePrint Archives 2020, 1320 (2020). https://eprint.iacr.org/2020/1320/.

  8. Banik S., Bogdanov A., Peyrin T., Sasaki Y., Sim S.M., Tischhauser E., Todo Y.: SUNDAE-GIFT v1.0. In: Submission to Round 2 of the NIST Lightweight Cryptography Standardization process (2020).

  9. Banik S., Chakraborti A., Iwata T., Minematsu K., Nandi M., Peyrin T., Sasaki Y., Sim S.M., Todo Y.: GIFT-COFB v1.0. In: Finalists of the NIST Lightweight Cryptography Standardization process (2021).

  10. Bansod G., Patil A., Sutar S., Pisharoty N.: ANU: an ultra lightweight cipher design for security in IoT. Security Commun. Netw. 9(18), 5238–5251 (2016).

    Article  Google Scholar 

  11. Baysal A., Sahin S.: RoadRunneR: a small and fast bitslice block cipher for low cost 8-bit processors. In: Lightweight Cryptography for Security and Privacy—4th International Workshop, LightSec 2015, Bochum, Germany, 10–11 September 2015, Revised Selected Papers, pp. 58–76 (2015). https://doi.org/10.1007/978-3-319-29078-2_4.

  12. Beaulieu R., Shors D., Smith J., Treatman-Clark S., Weeks B., Wingers L.: The SIMON and SPECK families of lightweight block ciphers. IACR Cryptology ePrint Archive 2013, 404 (2013). http://eprint.iacr.org/2013/404.

  13. Beierle C., Jean J., Kölbl S., Leander G., Moradi A., Peyrin T., Sasaki Y., Sasdrich P., Sim S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Advances in Cryptology—CRYPTO 2016—36th Annual International Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2016, Proceedings, Part II, pp. 123–153 (2016). https://doi.org/10.1007/978-3-662-53008-5_5.

  14. Beierle C., Leander G., Moradi A., Rasoolzadeh S.: CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks. IACR Trans. Symmetric Cryptol. 2019(1), 5–45 (2019). https://doi.org/10.13154/tosc.v2019.i1.5-45.

    Article  Google Scholar 

  15. Beierle C., JeanJ., Kölbl S., Leander G., Moradi A., Peyrin T., Sasaki Y., Sasdrich P., Sim S.M.: SKINNY-AEAD and SKINNY-Hash v1.1. In: Submission to Round 2 of the NIST Lightweight Cryptography Standardization process (2020).

  16. Benadjila R., Guo J., Lomné V., Peyrin T.: Implementing lightweight block ciphers on x86 architectures. In: Selected Areas in Cryptography—SAC 2013—20th International Conference, Burnaby, BC, Canada, 14–16 August 2013, Revised Selected Papers, pp. 324–351 (2013). https://doi.org/10.1007/978-3-662-43414-7_17.

  17. Berger T.P., Francq J., Minier M.: CUBE cipher: a family of quasi-involutive block ciphers easy to mask. In: Codes, Cryptology, and Information Security—First International Conference, C2SI 2015, Rabat, Morocco, 26–28 May 2015, Proceedings—In Honor of Thierry Berger, pp. 89–105 (2015). https://doi.org/10.1007/978-3-319-18681-8_8.

  18. Bertoni G., Daemen J., Peeters M., Van Assche G.: Keccak. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 313–314. Springer, New York (2013)

  19. Biham E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994). https://doi.org/10.1007/BF00203965.

    Article  MATH  Google Scholar 

  20. Biham E., Shamir A.: Differential cryptanalysis of des-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991). https://doi.org/10.1007/BF00630563.

    Article  MathSciNet  MATH  Google Scholar 

  21. Biham E., Biryukov A., Shamir A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Advances in Cryptology—EUROCRYPT ’99, International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, 2–6 May 1999, Proceeding, pp. 12–23 (1999). https://doi.org/10.1007/3-540-48910-X_2.

  22. Bogdanov A., Rijmen V.: Linear hulls with correlation zero and linear cryptanalysis of block ciphers. Des. Codes Cryptogr. 70(3), 369–383 (2014). https://doi.org/10.1007/s10623-012-9697-z.

    Article  MathSciNet  MATH  Google Scholar 

  23. Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT: an ultra-lightweight block cipher. In: Cryptographic Hardware and Embedded Systems—CHES 2007, 9th International Workshop, Vienna, Austria, 10–13 September 2007, Proceedings, pp. 450–466 (2007). https://doi.org/10.1007/978-3-540-74735-2_31.

  24. Borghoff J., Canteaut A., Güneysu T., Kavun E.B., Knezevic M., Knudsen L.R., Leander G., Nikov V., Paar C., Rechberger C., Rombouts P., Thomsen S.S., Yalçin T.: PRINCE—A low-latency block cipher for pervasive computing applications - extended abstract. In: Advances in Cryptology—ASIACRYPT 2012—18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, 2–6 December 2012, Proceedings. pp. 208–225 (2012). https://doi.org/10.1007/978-3-642-34961-4_14.

  25. Chakraborti A., Datta N., Jha A., Lopez C.M., Nandi M., Sasaki Y.: LOTUS-AEAD/LOCUS-AEAD. In: Submission to Round 2 of the NIST Lightweight Cryptography Standardization Process (2020).

  26. Chakraborti A., Datta N., Jha A., Nandi M.: HYENA. In: Submission to Round 2 of the NIST Lightweight Cryptography Standardization Process (2020).

  27. Chen H., Wang X.: Improved linear hull attack on round-reduced simon with dynamic key-guessing techniques. In: Fast Software Encryption—23rd International Conference, FSE 2016, Bochum, Germany, 20–23 March 2016, Revised Selected Papers, pp. 428–449 (2016). https://doi.org/10.1007/978-3-662-52993-5_22.

  28. Chen S., Fan Y., Fu Y., Huang L., Wang M.: On the design of ANT family block ciphers. J. Cryptol. Res. 6(6), 748–759 (2019).

    Google Scholar 

  29. Cui T., Jia K., Fu K., Chen S., Wang M.: New automatic search tool for impossible differentials and zero-correlation linear approximations. IACR Cryptology ePrint Archive 2016, 689 (2016). http://eprint.iacr.org/2016/689.

  30. Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Information Security and Cryptography, Springer, Berlin (2002). https://doi.org/10.1007/978-3-662-04722-4.

  31. Daemen J., Peeters M., Van Assche G., Rijmen V.: Nessie proposal: NOEKEON. In: First Open NESSIE Workshop, pp. 213–230 (2000).

  32. Diffie W., Hellman M.E.: Special feature exhaustive cryptanalysis of the NBS data encryption standard. IEEE Comput. 10(6), 74–84 (1977). https://doi.org/10.1109/C-M.1977.217750.

    Article  Google Scholar 

  33. Dinu D., Perrin L., Udovenko A., Velichkov V., Großschädl J., Biryukov A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, 4–8 December 2016, Proceedings, Part I, pp. 484–513 (2016). https://doi.org/10.1007/978-3-662-53887-6_18.

  34. Dobraunig C., Eichlseder M., Mendel F., Schläffer M.: Ascon. Submission to the Caesar Competition. Institute for Applied Information Processing and Communications, Graz University of Technology, Graz (2014).

  35. ElSheikh M., Youssef A.M.: Related-key differential cryptanalysis of full round CRAFT. In: Security, Privacy, and Applied Cryptography Engineering—9th International Conference, SPACE 2019, Gandhinagar, India, 3–7 December 2019, Proceedings, pp. 50–66 (2019). https://doi.org/10.1007/978-3-030-35869-3_6.

  36. Guo J., Peyrin T., Poschmann A., Robshaw M.J.B.: The LED block cipher. In: Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, 28 September–1 October 2011, Proceedings, pp. 326–341 (2011). https://doi.org/10.1007/978-3-642-23951-9_22.

  37. Guo H., Sun S., Shi D., Sun L., Sun Y., Hu L., Wang M.: Differential attacks on CRAFT exploiting the involutory s-boxes and tweak additions. IACR Trans. Symmetric Cryptol. 2020(3), 119–151 (2020). https://doi.org/10.13154/tosc.v2020.i3.119-151.

    Article  Google Scholar 

  38. Hadipour H., Sadeghi S., Niknam M.M., Song L., Bagheri N.: Comprehensive security analysis of CRAFT. IACR Trans. Symmetric Cryptol. 2019(4), 290–317 (2019). https://doi.org/10.13154/tosc.v2019.i4.290-317.

    Article  Google Scholar 

  39. Iwata T., Khairallah M., Minematsu K., Peyrin T.: Remus v1.0. In: Submission to Round 1 of the NIST Lightweight Cryptography Standardization Process (2019).

  40. Iwata T., Khairallah M., Minematsu K., Peyrin T., Sasaki Y., Sim S.M., Sun L.: Thank Goodness Its Friday (TGIF). In: Submission to Round 1 of the NIST Lightweight Cryptography Standardization Process (2019).

  41. Iwata T., Khairallah M., Minematsu K., Peyrin T.: Romulus v1.2. In: Finalists of the NIST Lightweight Cryptography Standardization Process (2021).

  42. Jean J., Peyrin T., Sim S.M., Tourteaux J.: Optimizing implementations of lightweight building blocks. IACR Trans. Symmetric Cryptol. 2017(4), 130–168 (2017). https://doi.org/10.13154/tosc.v2017.i4.130-168.

    Article  Google Scholar 

  43. Khovratovich D., Nikolic I., Pieprzyk J., Sokolowski P., Steinfeld R.: Rotational cryptanalysis of ARX revisited. In: Fast Software Encryption—22nd International Workshop, FSE 2015, Istanbul, Turkey, 8–11 March 2015, Revised Selected Papers, pp. 519–536 (2015). https://doi.org/10.1007/978-3-662-48116-5_25.

  44. Knudsen L.R.: Cryptanalysis of LOKI. In: Advances in Cryptology—ASIACRYPT ’91, International Conference on the Theory and Applications of Cryptology, Fujiyoshida, Japan, 11–14 November 1991, Proceedings, pp. 22–35 (1991). https://doi.org/10.1007/3-540-57332-1_2.

  45. Knudsen L.R.: Deal—a 128-bit block cipher. In: NIST AES Proposal (1998).

  46. Knudsen L.R., Wagner D.A.: Integral cryptanalysis. In: Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, 4–6 February 2002, Revised Papers, pp. 112–127 (2002). https://doi.org/10.1007/3-540-45661-9_9.

  47. Kölbl S., Leander G., Tiessen T.: Observations on the SIMON block cipher family. In: Advances in Cryptology—CRYPTO 2015—35th Annual Cryptology Conference, Santa Barbara, CA, USA, 16–20 August 2015, Proceedings, Part I, pp. 161–185 (2015). https://doi.org/10.1007/978-3-662-47989-6_8.

  48. Leurent G., Pernot C., Schrottenloher A.: Clustering effect in Simon and Simeck. Cryptology ePrint Archive, Report 2021/1198 (2021). https://ia.cr/2021/1198.

  49. Liu Z., Li Y., Wang M.: Optimal differential trails in Simon-like ciphers. IACR Trans. Symmetric Cryptol. 2017(1), 358–379 (2017). https://doi.org/10.13154/tosc.v2017.i1.358-379.

    Article  Google Scholar 

  50. Liu Z., Li Y., Wang M.: The security of simon-like ciphers against linear cryptanalysis. IACR Cryptology ePrint Archive 2017, 576 (2017). http://eprint.iacr.org/2017/576.

  51. Liu Z., Li Y., Wang M.: The security of simon-like ciphers against linear cryptanalysis. Cryptology ePrint Archive, Report 2017/576 (2017). https://eprint.iacr.org/2017/576.

  52. Louis W.: Software for SUPERCOP benchmarking of SIMON and SPECK. https://github.com/lrwinge/simon_speck_supercop.

  53. Lu J., Liu Y., Ashur T., Sun B., Li C.: Rotational-XOR cryptanalysis of simon-like block ciphers. In: Information Security and Privacy—25th Australasian Conference, ACISP 2020, Perth, WA, Australia, 30 November–2 December 2020, Proceedings, pp. 105–124 (2020). https://doi.org/10.1007/978-3-030-55304-3_6.

  54. Matsui M.: Linear cryptanalysis method for DES cipher. In: Advances in Cryptology—ROCRYPT ’93, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, 23–27 May 1993, Proceedings, pp. 386–397 (1993). https://doi.org/10.1007/3-540-48285-7_33.

  55. Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Information Security and Cryptology—7th International Conference, Inscrypt 2011, Beijing, China, 30 November–3 December 2011. Revised Selected Papers, pp. 57–76 (2011). https://doi.org/10.1007/978-3-642-34704-7_5.

  56. Nikova S., Rechberger C., Rijmen V.: Threshold implementations against side-channel attacks and glitches. In: Ning, P., Qing, S., Li, N. (eds.) Information and Communications Security, 8th International Conference, ICICS 2006, Raleigh, NC, USA, 4–7 December 2006, Proceedings. Lecture Notes in Computer Science, vol. 4307, pp. 529–545. Springer, Berlin (2006). https://doi.org/10.1007/11935308_38.

  57. Nikova S., Rijmen V., Schläffer M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011). https://doi.org/10.1007/s00145-010-9085-7.

    Article  MathSciNet  MATH  Google Scholar 

  58. Piret G., Roche T., Carlet C.: PICARO—A block cipher allowing efficient higher-order side-channel resistance. In: Applied Cryptography and Network Security—10th International Conference, ACNS 2012, Singapore, 26–29 June 2012, Proceedings, pp. 311–328 (2012). https://doi.org/10.1007/978-3-642-31284-7_19.

  59. Sakamoto K., Minematsu K., Shibata N., Shigeri M., Kubo H., Funabiki Y., Bogdanov A., Morioka S., Isobe T.: Tweakable TWINE: building a tweakable block cipher on generalized feistel structure. In: Advances in Information and Computer Security - 14th International Workshop on Security, IWSEC 2019, Tokyo, Japan, 28–30 August 2019, Proceedings, pp. 129–145 (2019). https://doi.org/10.1007/978-3-030-26834-3_8.

  60. Sasaki Y.: Related-key boomerang attacks on full ANU lightweight block cipher. In: International Conference on Applied Cryptography and Network Security, pp. 421–439. Springer, Cham (2018).

  61. Sasaki Y., Todo Y.: New impossible differential search tool from design and cryptanalysis aspects - revealing structural properties of several ciphers. In: Advances in Cryptology—EUROCRYPT 2017—36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, 30 April–4 May 2017, Proceedings, Part III, pp. 185–215 (2017). https://doi.org/10.1007/978-3-319-56617-7_7.

  62. Selçuk A.A.: On probability of success in linear and differential cryptanalysis. J. Cryptol. 21(1), 131–147 (2008). https://doi.org/10.1007/s00145-007-9013-7.

    Article  MathSciNet  MATH  Google Scholar 

  63. Shibutani K., Isobe T., Hiwatari H., Mitsuda A., Akishita T., Shirai T.: Piccolo: An ultra-lightweight blockcipher. In: Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, 28 September–1 October 2011, Proceedings, pp. 342–357 (2011). https://doi.org/10.1007/978-3-642-23951-9_23.

  64. Shirai T., Shibutani K., Akishita T., Moriai S., Iwata T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Fast Software Encryption, 14th International Workshop, FSE 2007, Luxembourg, Luxembourg, 26–28 March 2007, Revised Selected Papers, pp. 181–195 (2007). https://doi.org/10.1007/978-3-540-74619-5_12.

  65. Soos M., Nohl K., Castelluccia C.: Extending SAT solvers to cryptographic problems. In: Theory and Applications of Satisfiability Testing - SAT 2009, 12th International Conference, SAT 2009, Swansea, UK, 30 June–3 July 2009, Proceedings, pp. 244–257 (2009). https://doi.org/10.1007/978-3-642-02777-2_24.

  66. Stefan K.: CryptoSMT: An easy to use tool for cryptanalysis of symmetric primitives. https://github.com/kste/cryptosmt.

  67. Sun S., Hu L., Wang P., Qiao K., Ma X., Song L.: Automatic security evaluation and (related-key) differential characteristic search: application to simon, present, lblock, DES(L) and other bit-oriented block ciphers. In: Advances in Cryptology—ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., 7–11 December 2014, Proceedings, Part I, pp. 158–178 (2014). https://doi.org/10.1007/978-3-662-45611-8_9.

  68. Suzaki T., Minematsu K., Morioka S., Kobayashi E.: TWINE: a lightweight block cipher for multiple platforms. In: Selected Areas in Cryptography, 19th International Conference, SAC 2012, Windsor, ON, Canada, 15–16 August 2012, Revised Selected Papers, pp. 339–354 (2012). https://doi.org/10.1007/978-3-642-35999-6_22.

  69. Todo Y.: Structural evaluation by generalized integral property. In: Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, 26–30 April 2015, Proceedings, Part I, pp. 287–314 (2015). https://doi.org/10.1007/978-3-662-46800-5_12.

  70. Todo Y., Morii M.: Bit-based division property and application to simon family. In: Fast Software Encryption - 23rd International Conference, FSE 2016, Bochum, Germany, 20–23 March 2016, Revised Selected Papers, pp. 357–377 (2016). https://doi.org/10.1007/978-3-662-52993-5_18.

  71. Wang N., Wang X., Jia K., Zhao J.: Differential attacks on reduced SIMON versions with dynamic key-guessing techniques. Sci. China Inf. Sci. 61(9), 098103:1-098103:3 (2018). https://doi.org/10.1007/s11432-017-9231-5.

    Article  MathSciNet  Google Scholar 

  72. Wu W., Zhang L.: Lblock: A lightweight block cipher. In: Applied Cryptography and Network Security—9th International Conference, ACNS 2011, Nerja, Spain, 7–10 June 2011, Proceeding,. pp. 327–344 (2011). https://doi.org/10.1007/978-3-642-21554-4_19.

  73. Xiang Z., Zhang W., Bao Z., Lin D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, 4–8 December 2016, Proceedings, Part I, pp. 648–678 (2016). https://doi.org/10.1007/978-3-662-53887-6_24.

  74. Yang G., Zhu B., Suder V., Aagaard M.D., Gong G.: The simeck family of lightweight block ciphers. In: Cryptographic Hardware and Embedded Systems—CHES 2015—17th International Workshop, Saint-Malo, France, 13–16 September 2015, Proceedings, pp. 307–329 (2015). https://doi.org/10.1007/978-3-662-48324-4_16.

  75. Zhang W., Bao Z., Lin D., Rijmen V., Yang B., Verbauwhede I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015). https://doi.org/10.1007/s11432-015-5459-7.

    Article  Google Scholar 

Download references

Acknowledgements

This work is supported by the National Natural Science Foundation of China (Grant No. 62032014), the National Key Research and Development Program of China (Grant No. 2018YFA0704702), the Major Basic Research Project of Natural Science Foundation of Shandong Province, China (Grant No. ZR202010220025). Ling Sun is partly supported by the National Natural Science Foundation of China (Grant No. 62002201). Chun Guo is partly supported by the National Natural Science Foundation of China (Grant No. 62002202). Weijia Wang is partly supported by the Program of Qilu Young Scholars (Grant No. 61580082063088) of Shandong University, National Natural Science Foundation of China (Grant No. 62002204).

Author information

Authors and Affiliations

  1. School of Cyber Science and Technology, Shandong University, Qingdao, 266237, Shandong, China

    Shiyao Chen, Yanhong Fan, Ling Sun, Haibo Zhou, Yongqing Li, Meiqin Wang, Weijia Wang & Chun Guo

  2. Key Laboratory of Cryptologic Technology and Information Security of Ministry of Education, Shandong University, Qingdao, 266237, Shandong, China

    Shiyao Chen, Yanhong Fan, Ling Sun, Haibo Zhou, Yongqing Li, Meiqin Wang, Weijia Wang & Chun Guo

  3. Qilu University of Technology, Jinan, 250100, Shandong, China

    Yong Fu

Authors
  1. Shiyao Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yanhong Fan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ling Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yong Fu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Haibo Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Yongqing Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Meiqin Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Weijia Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Chun Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Meiqin Wang.

Additional information

Communicated by T. Iwata.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: Test vectors

/* SAND-64/128 */

K: 0F 1F 2F 3F 4F 5F 6F 7F 8F 9F AF BF CF DF EF FF

P: 0F 1F 2F 3F 4F 5F 6F 7F

C: 4D E9 0F 3B 2B 5E 70 6B

/* SAND-128/128 */

K: 1F 1E 1D 1C 1B 1A 19 18 17 16 15 14 13 12 11 10

P: FF EF DF CF BF AF 9F 8F 7F 6F 5F 4F 3F 2F 1F 0F

C: F1 FB E8 65 BE CE 10 F8 2A 34 C6 C9 9D 6A 73 03

Appendix B: SAND reference implementations

1.1 B.1 SAND -64/128 C reference code from Bitslice view

figure a
figure b

1.2 B.2 SAND -128/128 C reference code from Bitslice view

figure c
figure d

1.3 B.3 SAND -64/128 C reference code from SSb view

figure e
figure f

1.4 B.4 SAND -128/128 C reference code from SSb view

figure g
figure h

Appendix C: DDT of SSb

For simplicity, we only present the DDT of SSb in this section. More details of SSb could be found in https://github.com/sand-bar/SAND-Synthetic-Sbox.

Table 14 DDT of SSb (4-bit input and 8-bit output)
Full size table

Appendix D: 7-round optimal differential and linear characteristics for SAND-64/128

We give the following 7-round optimal differential and linear characteristics for SAND-64/128 as examples.

Table 15 7-round optimal differential characteristic with probability \(2 ^ {-24}\)
Full size table
Table 16 7-round optimal linear characteristic with correlation \(2 ^ {-12}\)
Full size table

Appendix E: Experiments of differential and linear properties for 7-round trails

In order to give a verification for the model under the S-box transformation and also an evaluation of clustering effect, we consider the differential and linear hull effect and distributions under random keys of the example trails presented in Appendix D. Although, these experiments are still limited with regard to the number of rounds and the number of trails, we just want to show the differential and linear properties (differential and linear hull effect, the probability distributions over random keys) of SAND block cipher to some extent.

1.1 Clustering trails by solver

For the optimal 7-round differential trail listed in Table 15, we fix the input and output differences in the search program and enumerate the number of trails within this differential by the SAT solver [65]. The clustering result indicates that the differential effect for this 7-round differential is not significant. Similarly, we also study the linear hull effect of the 7-round linear trail listed in Table 16, which is not notable.

Fig. 16
figure 16

Cumulative distributions of number of right pairs over 10000 random keys (blue) and expected normal distribution (red)

Full size image
Fig. 17
figure 17

Cumulative distributions of absolute linear bias over 10,000 random keys (blue) and expected normal distribution (red)

Full size image

1.2 Distribution tests over random sampling keys

To perform the probability distribution tests of the above trails over random sampling keys, we start by randomly selecting 10000 keys. Then, with each selected key, we encrypt \(2 ^ {30}\) blocks and count the corresponding number of right pairs for differential (resp., the absolute linear bias for linear). The results are compared to the expected normal distributions for differential and linear from [62], as shown in Figs. 16 and 17 respectively, which indicates a nice match between the experimental distributions and the expected.

Appendix F: Threshold implementation of the SAND cipher

In this section, we show that the threshold implementation of SAND cipher can take advantage of its Toffoli gates-based structure.

The concept of threshold implementation is to randomly encode each secret-dependent bit (say, x) into several shares (say, \(x_1, \ldots , x_n\)) such that \(x = x_1 \oplus \ldots \oplus x_n\), and accordingly perform the cryptographic algorithms in the shared form (rather than the raw secret). In the rest of this section, unless otherwise noted, we consider the most efficient first-order secure case, where the number of shares is 3. As any cryptographic algorithm can be represented by a composition of XOR and AND gates, the shared form implementation can be achieved by transforming each gate into their shared correspondence. The shared XOR gate can be trivially constructed by XORing pairs of input shares separately. However, the construction of shared AND gate is non-trivial. Previous work [57] has shown that it is impossible to construct a secure AND gateFootnote 5 with 3 shares without introducing any randomness.

A Toffoli gate is a composite gate that takes 3 input bits (say, x, y and z) and outputs \(z = x \oplus y z\). Although a single AND gate is not quite friendly to the threshold implementation, a secure shared Toffoli gate can be constructed as follows:

$$\begin{aligned} \begin{aligned}&z_1 = x_2 \oplus y_2z_2 \oplus y_2z_3 \oplus y_3z_2\\&z_2 = x_3 \oplus y_3z_3 \oplus y_3z_1 \oplus y_1z_3\\&z_3 = x_2 \oplus y_2z_2 \oplus y_2z_3 \oplus y_3z_2 \end{aligned} \end{aligned}$$
(1)

This structure contributes to an efficient threshold implementation of the SAND cipher.

Fig. 18
figure 18

Threshold implementation of the SAND round function

Full size image

Figure 18 shows the threshold implementation of the SAND round function, where all the shared linear gates (XOR, and rotation and \(P_n\)) are performed on each share separately and TI Toffoli gate can be calculated by Eq. 1. Note that each of \(G_0\) and \(G_1\) includes two Toffoli gates that need to be separated by a register to prevent the Glitches. Thus, the calculation of the round function requires two cycles.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chen, S., Fan, Y., Sun, L. et al. SAND: an AND-RX Feistel lightweight block cipher supporting S-box-based security evaluations. Des. Codes Cryptogr. 90, 155–198 (2022). https://doi.org/10.1007/s10623-021-00970-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-021-00970-9

Keywords

Mathematics Subject Classification

Search

Navigation