Constructing S-boxes for Lightweight Cryptography with Feistel Structure

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8731)


Differential uniformity and nonlinearity are two basic properties of S-boxes, which measure the resistance of S-boxes to differential and linear attack respectively. Besides these two properties, the hardware cost of S-boxes is also an important property which should be considered primarily in a limited resource environment. By use of Feistel structure, we investigate the problem of constructing S-boxes with excellent cryptographic properties and low hardware implementation cost in the present paper. Feistel structure is a widely used structure in the design of block ciphers, and it can be implemented easily in hardware. Three-round Feistel structure has been used to construct S-boxes in symmetric algorithms, such as CS-Ciper, CRYPTON and ZUC. In the present paper, we investigate the bounds on differential uniformity and nonlinearity of S-boxes constructed with three-round Feistel structure. By choosing suitable round functions, we show that for odd k, differential 4-uniform S-boxes over \(\mathbb{F}_{2^{k}}^2\) with the best known nonlinearity can be constructed via three-round Feistel structure. Some experiment results are also given which show that optimal 4-bit S-boxes can be constructed with 4 or 5 round unbalanced Feistel structure.


lightweight cryptography S-boxes Feistel structure differential uniformity nonlinearity 


  1. 1.
    Aoki, K.: On maximum non-averaged differential probability. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 118–130. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  2. 2.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Budaghyan, L., Carlet, C., Pott, A.: New classes of almost bent and almost perfect nonlinear polynomials. IEEE Trans. on Inform. Theory 52(3), 1141–1152 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Budaghyan, L., Pott, A.: On differential uniformity and nonlinearity of functions. Discrete Mathematics 309(2), 371–384 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Canright, D.: A Very Compact S-Box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Canteaut, A.: Differential cryptanalysis of Feistel ciphers and differentially δ-uniform mappings. In: Workshop on Selected Areas in Cryptography (SAC 1997), pp. 172–184 (1997)Google Scholar
  7. 7.
    Carlet, C., Charpin, P., Zinoviev, V.: Codes, bent functions and permutations sutiable for DES-like cryptosystems. Des. Codes Cryptogr. 15(2), 125–156 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Carlet, C.: Boolean Functions for Cryptography and Error Correcting Codes, Chapter of the monography. In: Crama, Y., Hammer, P.L. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257–397. Cambridge University Press (2010)Google Scholar
  9. 9.
    Carlet, C.: Vectorial Boolean Functions for Cryptography, Chapter of the monography. In: Crama, Y., Hammer, P.L. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 398–469. Cambridge University Press (2010)Google Scholar
  10. 10.
    Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  11. 11.
    Dobbertin, H.: One-to-one highly nonlinear power functions on GF(2n). Appl. Algebra Engrg. Comm. Comput. 9(2), 139–152 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Gold, R.: Maximal recursive sequences with 3-valued recursive crosscorrelation functions. IEEE Trans. Inform. Theory 14, 154–156 (1968)CrossRefzbMATHGoogle Scholar
  13. 13.
    Grosso, V., Leurent, G., Standaert, F.-X., Varici, K.: LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations. In: FSE 2014 (2014)Google Scholar
  14. 14.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED Block Cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Hou, X.D.: Affinity of permutations of \(\mathbb{F}_{2}^{n}\). Discrete Appl. Math. 154(2), 313–325 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Leander, G., Poschmann, A.: On the Classification of 4 Bit S-Boxes. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 159–176. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Lim, C.H.: CRYPTON: A new 128-bit block cipher. In: The First AES Candidate Conference. National Institute for Standards and Technology (1998)Google Scholar
  19. 19.
    Matsui, M.: New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 205–218. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  20. 20.
    Matsui, M.: New block encryption algorithm MISTY. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 54–68. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  21. 21.
    Nyberg, K., Knudsen, L.R.: Provable security against differential cryptanalysis. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 566–574. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  22. 22.
    Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  23. 23.
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: An Ultra-Lightweight Blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Stern, J., Vaudenay, S.: CS-CIPHER. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 189–204. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  25. 25.
    Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 4: Design and Evaluation Report, version 1.3 (2011)Google Scholar
  26. 26.
    Wu, S., Wang, M., Wu, W.: Recursive Diffusion Layers for (Lightweight) Block Ciphers and Hash Functions. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 355–371. Springer, Heidelberg (2013)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.The State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations