Skip to main content
SpringerLink
Log in

A further study on bridge structures and constructing bijective S-boxes for low-latency masking

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

In ToSC 2020, Bilgin et al. proposed a new structure called bridge to construct S-boxes with low AND depth for low-latency masking. In this paper, we investigate the bridge structure in detail. Firstly, we prove the conjecture made by Bilgin et al. which is about lower bounds on the differential uniformity and linearity for the 2n-bit bridge structure. However, the bounds are not always tight for a specific n. In particular, for 8-bit permutations with the bridge structure, we further prove that the tight lower bounds on the differential uniformity and linearity are 16 and 64, respectively. Then, we find the best implementations of such 8-bit permutations which reach the tight bounds for low-latency masking. We derive that, without global optimization, the optimal 8-bit permutations with 3-round balanced Feistel or Misty networks both require at least 12 AND gates with AND depth 4. While the optimal 8-bit permutations with the bridge structure require 12 AND gates with only AND depth 3. In addition, we propose a new unbalanced bridge structure with \(2n-1\), 2n and \(2n+1\)-bit components for the first time. Applying this structure, we can even construct an 8-bit S-box and its inverse with notable AND depths 2 and 3, which is, as far as we know, the lowest AND depth for 8-bit S-boxes with differential uniformity 16 and linearity 64.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Notes

  1. The symbol a||b means the concatenation of a and b.

  2. The list is the image set of elements from 0 to 7, i.e. \(S_1(0)=5, S_1(1)=6,\ldots , S_1(7)=4\). All the examples given throughout the paper are of similar forms.

  3. the row index \((i+1)\) of the DDT is corresponding to \(b=(i_1,i_2,i_3,i_4)\in {\mathbb {F}}^4_{2}\) where \(i=i_1\cdot 2^3+i_2\cdot 2^2+i_3\cdot 2+i_4\). For example, the first row corresponds to \(b=(0,0,0,0).\)

References

  1. Ali F., Hani F.A.: A New 128-bit Block Cipher. Universiti Putra Malaysia, Selangor (2009).

    Google Scholar 

  2. Baksi, A., Guilley, S., Shrivastwa, R.R., Takarabt, S.: From substitution box to threshold. Cryptology ePrint Archive, Report 2023/633 (2023). https://eprint.iacr.org/2023/633

  3. Bao Z., Guo J., Ling S., Sasaki Y.: PEIGEN-a platform for evaluation, implementation, and generation of S-boxes. IACR Trans. Symmetric Cryptol. 2019(1), 330–394 (2019).

    Article  Google Scholar 

  4. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Advances in Cryptology–CRYPTO ’90, 10th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11-15, 1990, Proceedings, Lecture Notes in Computer Science, vol. 537, pp. 2–21. Springer (1990)

  5. Bilgin, B.: Threshold implementations: as countermeasure against higher-order differential power analysis. Ph.D. thesis, University of Twente, Enschede (2015)

  6. Bilgin B., Meyer L.D., Duval S., Levi I., Standaert F.: Low AND depth and efficient inverses: a guide on S-boxes for low-latency masking. IACR Trans. Symmetric Cryptol. 2020(1), 144–184 (2020).

    Article  Google Scholar 

  7. Bilgin, B., Nikova, S., Nikov, V., Rijmen, V., Stütz, G.: Threshold implementations of all \(3\times 3\) and \(4\times 4\) S-boxes. In: Cryptographic Hardware and Embedded Systems–CHES 2012–14th International Workshop, Leuven, Belgium, September 9-12, 2012. Proceedings, Lecture Notes in Computer Science, vol. 7428, pp. 76–91. Springer (2012)

  8. Boss E., Grosso V., Güneysu T., Leander G., Moradi A., Schneider T.: Strong 8-bit Sboxes with efficient masking in hardware extended version. J. Cryptogr. Eng. 7(2), 149–165 (2017).

    Article  MATH  Google Scholar 

  9. Cannière, C.D.: Analysis and design of symmetric encryption algorithms. Ph.D. thesis, Katholieke Universiteit Leuven (2007)

  10. Canteaut, A., Duval, S., Leurent, G.: Construction of lightweight S-boxes using Feistel and MISTY structures. In: Selected Areas in Cryptography–SAC 2015–22nd International Conference, Sackville, NB, Canada, August 12-14, 2015, Revised Selected Papers, Lecture Notes in Computer Science, vol. 9566, pp. 373–393. Springer (2015)

  11. Canteaut A., Duval S., Perrin L.: A generalisation of Dillon’s APN permutation with the best known differential and nonlinear properties for all fields of size \(2^{4k+2}\). IEEE Trans. Inf. Theory 63(11), 7575–7591 (2017).

    Article  MATH  Google Scholar 

  12. Canteaut A., Perrin L.: On CCZ-equivalence, extended-affine equivalence, and function twisting. Finite Fields Their Appl. 56, 209–246 (2019).

    Article  MathSciNet  MATH  Google Scholar 

  13. Carlet, C. (ed.): Boolean Functions for Cryptography and Coding Theory. Cambridge University Press (2021)

  14. Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis. In: Advances in Cryptology–EUROCRYPT ’94, Workshop on the Theory and Application of Cryptographic Techniques, Perugia, Italy, May 9-12, 1994, Proceedings, Lecture Notes in Computer Science, vol. 950, pp. 356–365. Springer (1994)

  15. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Advances in Cryptology - CRYPTO ’99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999, Proceedings, Lecture Notes in Computer Science, vol. 1666, pp. 398–412. Springer (1999)

  16. Dobbertin H.: One-to-one highly nonlinear power functions on \(\rm GF(2^n)\). Appl. Algebra Eng. Commun. Comput. 9(2), 139–152 (1998).

    Article  MATH  Google Scholar 

  17. ETSI/Sage: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 4: Design and Evaluation Report. Technical report ETSI/Sage (2011)

  18. Feistel H.: Cryptography and computer privacy. Sci. Am. 228(5), 15–23 (1973).

    Article  Google Scholar 

  19. Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.: Block ciphers that are easier to mask: How far can we go? In: Cryptographic Hardware and Embedded Systems–CHES 2013–15th International Workshop, Santa Barbara, CA, USA, August 20-23, 2013. Proceedings, Lecture Notes in Computer Science, vol. 8086, pp. 383–399. Springer (2013)

  20. Grosso V., Leurent G., Standaert F., Varici K.: LS-designs: Bitslice encryption for efficient masked software implementations. In: Fast Software Encryption–21st International Workshop, FSE 2014, London, UK, March 3-5, 2014. . Revised Selected Papers, Lecture Notes in Computer Science 8540, 18–37 (2014) Springer.

  21. Grosso, V., Leurent, G., Standaert, F.X., Varici, K., Durvaux, F., Gaspar, L., Kerckhof, S.: SCREAM & iSCREAM side-channel resistant authenticated encryption with masking. Can. CAESAR Compet. (2014)

  22. Hou X.: Affinity of permutations of \({\mathbb{F} }_{2}^{n}\). Discret. Appl. Math. 154(2), 313–325 (2006).

    Article  MathSciNet  Google Scholar 

  23. Ishai Y., Sahai A., Wagner D. A.: Private circuits: Securing hardware against probing attacks. In: Advances in Cryptology–CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 2003, Proceedings. Lecture Notes in Computer Science 2729, 463–481 (2003) Springer.

  24. Kim H., Jeon Y., Kim G., Kim J., Sim B., Han D., Seo H., Kim S., Hong S., Sung J., Hong D.: PIPO: A lightweight block cipher with efficient higher-order masking software implementations. In: Information Security and Cryptology–ICISC 2020–23rd International Conference, Seoul, South Korea, December 2-4, 2020, Proceedings. Lecture Notes in Computer Science 12593, 99–122 (2020).

  25. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Advances in Cryptology–CRYPTO ’96, 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18-22, 1996, Proceedings, Lecture Notes in Computer Science, vol. 1109, pp. 104–113. Springer (1996)

  26. Lai, X., Massey, J.L.: A proposal for a new block encryption standard. In: Advances in Cryptology–EUROCRYPT ’90, Workshop on the Theory and Application of Cryptographic Techniques, Aarhus, Denmark, May 21-24, 1990, Proceedings, Lecture Notes in Computer Science, vol. 473, pp. 389–404. Springer (1990)

  27. Leander G., Poschmann A.: On the classification of 4 bit S-boxes. In: Arithmetic of Finite Fields, First International Workshop, WAIFI 2007, Madrid, Spain, June 21-22, 2007, Proceedings. Lecture Notes in Computer Science 4547, 159–176 (2007) Springer

  28. Li Y., Wang M.: Constructing S-boxes for lightweight cryptography with Feistel structure. In: Cryptographic Hardware and Embedded Systems–CHES 2014–16th International Workshop, Busan, South Korea, September 23-26, 2014. Proceedings. Lecture Notes in Computer Science 8731, 127–146 (2014) Springer.

  29. Mangard, S., Pramstaller, N., Oswald, E.: Successfully attacking masked AES hardware implementations. In: Cryptographic Hardware and Embedded Systems–CHES 2005, 7th International Workshop, Edinburgh, UK, August 29–September 1, 2005, Proceedings, Lecture Notes in Computer Science, vol. 3659, pp. 157–171. Springer (2005)

  30. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Advances in Cryptology–EUROCRYPT ’93, Workshop on the Theory and Application of Cryptographic Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, Lecture Notes in Computer Science, vol. 765, pp. 386–397. Springer (1993)

  31. Matsui, M.: New block encryption algorithm MISTY. In: Fast Software Encryption, 4th International Workshop, FSE ’97, Haifa, Israel, January 20-22, 1997, Proceedings, Lecture Notes in Computer Science, vol. 1267, pp. 54–68. Springer (1997)

  32. McKay K., Bassham L., Sönmez Turan M., Mouha N.: Report on lightweight cryptography. Tech. rep, National Institute of Standards and Technology (2016).

  33. Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the limits: A very compact and a threshold implementation of AES. In: Advances in Cryptology–EUROCRYPT 2011–30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings, Lecture Notes in Computer Science, vol. 6632, pp. 69–88. Springer (2011)

  34. Nikova, S., Rijmen, V., Schläffer, M.: Using normal bases for compact hardware implementations of the AES S-Box. In: Security and Cryptography for Networks, 6th International Conference, SCN 2008, Amalfi, Italy, September 10-12, 2008. Proceedings, Lecture Notes in Computer Science, vol. 5229, pp. 236–245. Springer (2008)

  35. Nikova S., Rijmen V., Schläffer M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011).

    Article  MathSciNet  MATH  Google Scholar 

  36. Nyberg, K.: Differentially uniform mappings for cryptography. In: Advances in Cryptology–EUROCRYPT ’93, Workshop on the Theory and Application of Cryptographic Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, Lecture Notes in Computer Science, vol. 765, pp. 55–64. Springer (1993)

  37. Nyberg, K., Knudsen, L.R.: Provable security against differential cryptanalysis. In: Advances in Cryptology–CRYPTO ’92, 12th Annual International Cryptology Conference, Santa Barbara, California, USA, August 16-20, 1992, Proceedings, Lecture Notes in Computer Science, vol. 740, pp. 566–574. Springer (1992)

  38. Rothaus O. S.: On Bent functions. J. Comb. Theory, Ser. A 20(3), 300–305 (1976).

    Article  MATH  Google Scholar 

  39. Shannon C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949).

    Article  MathSciNet  MATH  Google Scholar 

  40. Stern J., Vaudenay S.: CS-Cipher. In: Fast Software Encryption, 5th International Workshop, FSE ’98, Paris, France March 23-25, 1998, Proceedings. Lecture Notes in Computer Science 1372, 189–205 (1998) Springer

  41. Stoffelen, K.: Optimizing S-box implementations for several criteria using SAT solvers. In: T. Peyrin (ed.) Fast Software Encryption-23rd International Conference, FSE 2016, Bochum, Germany, March 20–23, 2016, Revised Selected Papers, Lecture Notes in Computer Science, vol. 9783, pp. 140–160. Springer (2016)

Download references

Acknowledgements

The authors thank the anonymous reviewers for their careful reading and for their valuable comments. The work was supported by the National Science Foundation of China (Nos. 62102135, 62072161).

Author information

Authors and Affiliations

  1. Faculty of Mathematics and Statistics, Hubei Key Laboratory of Applied Mathematics, Hubei University, Wuhan, 430062, China

    Shizhu Tian, Yitong Liu & Xiangyong Zeng

Authors
  1. Shizhu Tian
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yitong Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiangyong Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xiangyong Zeng.

Additional information

Communicated by C. Carlet.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

A Appendix

Table 7 The \(N_{S}(\delta =2)\) for 302 affine equivalence classes of 4-bit permutations
Full size table

B Appendix

The best implementation of the bridge structure.

figure a

The best implementation of 3-round Feistel structure with\(\delta =8\).

figure b

The best implementation of 3-round Feistel structure with \(\delta =16\).

figure c

The best implementation of 3-round Misty structure.

figure d

An example of the unbalanced bridge structure.

figure e

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tian, S., Liu, Y. & Zeng, X. A further study on bridge structures and constructing bijective S-boxes for low-latency masking. Des. Codes Cryptogr. 91, 3709–3739 (2023). https://doi.org/10.1007/s10623-023-01266-w

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-023-01266-w

Keywords

Mathematics Subject Classification

Search

Navigation