LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations

  • Vincent Grosso
  • Gaëtan Leurent
  • François-Xavier StandaertEmail author
  • Kerem Varıcı
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8540)


Side-channel analysis is an important issue for the security of embedded cryptographic devices, and masking is one of the most investigated solutions to mitigate such attacks. In this context, efficient masking has recently been considered as a possible criteria for new block cipher designs. Previous proposals in this direction were applicable to different types of masking schemes (e.g. Boolean and polynomial). In this paper, we study possible optimizations when specializing the designs to Boolean masking. For this purpose, we first observe that bitslice ciphers have interesting properties for improving both the efficiency and the regularity of masked software implementations. Next we specify a family of block ciphers (denoted as LS-designs) that can systematically take advantage of bitslicing in a principled manner. Eventually, we evaluate both the security and performance of such designs and two of their instances, confirming excellent properties for physically secure applications.


Block Cipher Branch Number Algebraic Degree Algebraic Attack Differential Cryptanalysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work has been funded in parts by the ERC project 280141 (acronym CRASH). François-Xavier Standaert is an associate researcher of the Belgian Fund for Scientific Research (FNRS-F.R.S.).

Supplementary material


  1. 1.
    Barreto, P., Rijmen, V.: The KHAZAD legacy-level block cipher. Primitive submitted to NESSIE, 4 (2000)Google Scholar
  2. 2.
    Bertoni, G., Coron, J.-S.: CHES 2013. LNCS, vol. 8086. Springer, Heidelberg (2013)CrossRefzbMATHGoogle Scholar
  3. 3.
    Biham, E.: FSE1997. LNCS, vol. 1267. Springer, Heidelberg (1997)Google Scholar
  4. 4.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991) Google Scholar
  5. 5.
    Bilgin, B., Bogdanov, A., Knezevic, M., Mendel, F., Wang, Q.: Fides: lightweight authenticated cipher with side-channel resistance for constrained hardware. [2], pp. 142–158Google Scholar
  6. 6.
    Biryukov, A., Wagner, D.: Slide Attacks. [32], pp. 245–259Google Scholar
  7. 7.
    Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  8. 8.
    Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  9. 9.
    Boyar, J., Peralta, R.: A new combinational logic minimization technique with applications to cryptology. In: Festa, P. (ed.) SEA 2010. LNCS, vol. 6049, pp. 178–189. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  10. 10.
    Cid, C., Murphy, S., Robshaw, M.: Small scale variants of the AES. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 145–162. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  11. 11.
    Coron, J.S.: Higher order masking of look-up tables. Cryptology ePrint Archive, Report 2013/700 (2013).
  12. 12.
    Daemen, J.: Limitations of the Even-Mansour construction. [25], pp. 495–498Google Scholar
  13. 13.
    Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher SQUARE. [3], pp. 149–165Google Scholar
  14. 14.
    Daemen, J., Peeters, M., Van Assche, G.: Bitslice ciphers and power analysis attacks. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, p. 134. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  15. 15.
    Daemen, J., Peeters, M., Assche, G.V., Rijmen, V.: Nessie proposal: NOEKEON (2000).
  16. 16.
    Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, p. 222. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  17. 17.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: Key recovery attacks on 3-round Even-Mansour, 8-step LED-128, and full \(\text{ AES }^{2}\). Cryptology ePrint Archive, Report 2013/391 (2013).
  18. 18.
    Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the Even-Mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  19. 19.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. [25], pp. 210–224Google Scholar
  20. 20.
    Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.X.: Block ciphers that are easier to mask: how far can we go? [2], pp. 383–399Google Scholar
  21. 21.
    Grassl, M.: Bounds on the minimum distance of linear codes and quantum codes (2007). Accessed 8 November 2013
  22. 22.
    Grosso, V., Standaert, F.X., Faust, S.: Masking vs. multiparty computation: how large is the gap for AES? [2], pp. 400–416Google Scholar
  23. 23.
    Guo, J., Nikolic, I., Peyrin, T., Wang, L.: Cryptanalysis of Zorro. Cryptology ePrint Archive, Report 2013/713 (2013).
  24. 24.
    Hart, P.E., Nilsson, N.J., Raphael, B.: A formal basis for the heuristic determination of minimum cost paths. IEEE Trans. Syst. Sci. Cybern. 4(2), 100–107 (1968)CrossRefGoogle Scholar
  25. 25.
    Imai, H., Rivest, R.L., Matsumoto, T.: ASIACRYPT 1991. LNCS, vol. 739. Springer, Heidelberg (1993) zbMATHGoogle Scholar
  26. 26.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  27. 27.
    Isobe, T., Shibutani, K.: Security analysis of the lightweight block ciphers XTEA, LED and Piccolo. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 71–86. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  28. 28.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  29. 29.
    Kerckhof, S., Durvaux, F., Hocquet, C., Bol, D., Standaert, F.-X.: Towards green cryptography: a comparison of lightweight ciphers from the energy viewpoint. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 390–407. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  30. 30.
    Khovratovich, D., Nikolić, I.: Rotational cryptanalysis of ARX. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 333–346. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  31. 31.
    Kim, H., Hong, S., Lim, J.: A fast and provably secure higher-order masking of AES S-Box. [42], pp. 95–107Google Scholar
  32. 32.
    Knudsen, L.: FSE 1999. LNCS, vol. 1636. Springer, Heidelberg (1999)Google Scholar
  33. 33.
    Kwon, D., et al.: Information security and cryptology - ICISC 2003. In: Lim, J.-I., Lee, D.-H. (eds.) ARIA. LNCS, vol. 2971, pp. 432–445. Springer, Heidelberg (2004) Google Scholar
  34. 34.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  35. 35.
    Matsui, M.: On correlation between the order of S-boxes and the strength of DES. [46], pp. 366–375Google Scholar
  36. 36.
    Matsui, M.: New block encryption algorithm MISTY. [3], pp. 54–68Google Scholar
  37. 37.
    Mendel, F., Rijmen, V., Toz, D., Varıcı, K.: Differential analysis of the LED block cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 190–207. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  38. 38.
    Nikolić, I., Wang, L., Wu, S.: Cryptanalysis of round-reduced LED. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 112–130. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  39. 39.
    Nikova, S., Rijmen, V., Schläffer, M.: Secure hardware implementation of nonlinear functions in the presence of glitches. J. Cryptol. 24(2), 292–321 (2011)CrossRefzbMATHGoogle Scholar
  40. 40.
    Nyberg, K.: Linear approximation of block ciphers. [46], pp. 439–444Google Scholar
  41. 41.
    Piret, G., Roche, T., Carlet, C.: PICARO – a block cipher allowing efficient higher-order side-channel resistance. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 311–328. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  42. 42.
    Preneel, B., Takagi, T.: CHES 2011. LNCS, vol. 6917. Springer, Heidelberg (2011) CrossRefzbMATHGoogle Scholar
  43. 43.
    Prouff, E., Roche, T.: Higher-order glitches free implementation of the AES using secure multi-party computation protocols. [42], pp. 63–78Google Scholar
  44. 44.
    Rijmen, V., Barreto, P.: Nessie proposal: WHIRLPOOL (2000).
  45. 45.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  46. 46.
    De Santis, A.: EUROCRYPT 1994. LNCS, vol. 950. Springer, Heidelberg (1995) zbMATHGoogle Scholar
  47. 47.
    Toffoli, T.: Reversible computing. In: de Bakker, J., van Leeuwen, J. (eds.) Automata, Languages and Programming. LNCS, vol. 85, pp. 632–644. Springer, Heidelberg (1980) CrossRefGoogle Scholar
  48. 48.
    Ullrich, M., Cannière, C.D., Indesteege, S., Küçük, Ö., Mouha, N., Preneel, B.: Finding optimal bitsliced implementations of \(4\times 4\)-bit S-boxes. Symmetric Key Encryption Workshop, p. 20. Copenhagen, DK (2011)Google Scholar
  49. 49.
    Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  50. 50.
    Wagner, D.: The boomerang attack. [42], pp. 156–170Google Scholar
  51. 51.
    Whitnall, C., Oswald, E., Standaert, F.-X.: The myth of generic DPA..and the magic of learning. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 183–205. Springer, Heidelberg (2014) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Vincent Grosso
    • 1
  • Gaëtan Leurent
    • 1
    • 2
  • François-Xavier Standaert
    • 1
    Email author
  • Kerem Varıcı
    • 1
  1. 1.ICTEAM/ELEN/Crypto GroupUniversité catholique de LouvainLouvain-la-NeuveBelgium
  2. 2.Inria, EPI SECRETRocquencourtFrance

Personalised recommendations