A New Method for Designing Lightweight S-Boxes with High Differential and Linear Branch Numbers, and Its Application? Hangi Kim1, Yongjin Jeon1, Giyoon Kim1, Jongsung Kim1;2??, Bo-Yeon Sim1, Dong-Guk Han1;2, Hwajeong Seo3, Seonggyeom Kim4, Seokhie Hong4, Jaechul Sung5, and Deukjo Hong6 1 Department of Financial Information Security, Kookmin University, Republic of Korea 2 Department of Information Security, Cryptology, and Mathematics, Kookmin University, Republic of Korea 3 Division of IT Convergence Engineering, Hansung University, Republic of Korea 4 School of Cyber Security, Korea University, Republic of Korea 5 Department of Mathematics, University of Seoul, Republic of Korea 6 Department of Information Technology & Engineering, Jeonbuk National University, Republic of Korea 1 Abstract. Bit permutations are efficient linear functions often used for 2 lightweight cipher designs. However, they have low diffusion effects, com- 3 pared to word-oriented binary and MDS matrices. Thus, the security of 4 bit permutation-based ciphers is significantly affected by differential and 5 linear branch numbers (DBN and LBN) of nonlinear functions. In this 6 paper, we introduce a widely applicable method for constructing S-boxes 7 with high DBN and LBN. Our method exploits constructions of S-boxes 8 from smaller S-boxes and it derives/proves the required conditions for 9 smaller S-boxes so that the DBN and LBN of the constructed S-boxes 10 are at least 3. These conditions enable us to significantly reduce the 11 search space required to create such S-boxes. In order to make crypto- 12 graphically good and efficient S-boxes, we propose a unbalanced-Bridge 13 structure that accepts one 3-bit and two 5-bit S-boxes, and produces 14 8-bit S-boxes. Using the proposed structure, we develop a variety of new 15 lightweight S-boxes that provide not only both DBN and LBN of at 16 least 3 but also efficient bitsliced implementations including at most 11 17 nonlinear bitwise operations. The new S-boxes are the first that exhibit 18 these characteristics. Moreover, we propose a block cipher PIPO based 19 on one of the new S-boxes, which supports a 64-bit plaintext and a 128 20 or 256-bit key. Our implementations demonstrate that PIPO outperforms 21 existing block ciphers (for the same block and key lengths) in both side- 22 channel protected and unprotected environments, on an 8-bit AVR. The ? This paper is partially based on the paper \PIPO: A Lightweight Block Cipher with Efficient Higher-Order Masking Software Implementations" [43] presented at the 23rd annual International Conference on Information Security and Cryptology (ICISC 2020). ?? Corresponding author, [email protected] 2 Hangi Kim et al. 23 security of PIPO has been scrutinized with regards to state-of-the-art 24 cryptanalysis. 25 Keywords: Lightweight S-boxes · Differential and linear branch num- 26 bers · PIPO · Higher-order masking 27 1 Introduction 28 The fourth industrial revolution encompasses a wide range of advanced technolo- 29 gies. One of its core elements is the Internet of Things (IoT), which binds together 30 people, objects, processes, data, applications, and services to make networked 31 connections more relevant and valuable than ever before. However, trustworthy 32 systems are required to enable secure and reliable IoT-based infrastructures, and 33 an essential building block for such systems is cryptography. 34 Most devices in IoT environments are miniature and resource-constrained. 35 Therefore, lightweight cryptography, which is an active area of research, is es- 36 sential. Some lightweight block ciphers such as PRESENT [25] and CLEFIA [64] 37 have been standardized by ISO/IEC. In addition, a lightweight cryptography 38 standardization project is ongoing at NIST. 39 In 1996, Paul Kocher first introduced side-channel attacks, which extract se- 40 cret information by analyzing side-channel information [51]. Since secure designs 41 for mathematical cryptanalysis cannot guarantee security against side-channel 42 attacks, various countermeasures have been studied. With side-channel attacks 43 becoming more advanced and the associated equipment cost decreasing [71], the 44 application of side-channel countermeasures to ciphers has become crucial. Re- 45 cently, various studies have been actively conducted on efficient implementations 46 of side-channel countermeasures, especially on efficient masked implementations. 47 To minimize performance overhead, the focus has been on reducing the number 48 of nonlinear operations. Several lightweight block ciphers, with the design goal 49 of low nonlinear operation count, have been proposed [2,3,40]. 50 The lightweightness of block ciphers and the efficiency of their side-channel 51 protected implementations depend significantly on their nonlinear functions. 52 Many of lightweight block ciphers use 4-bit S-boxes [2,9,13,25,42] or 8-bit S- 53 boxes [1,14,40,48,64] as nonlinear functions. One of the main design approaches 54 of lightweight 8-bit S-boxes is to use existing structures, such as Feistel, Lai- 55 Massey and MISTY, employing smaller S-boxes (e.g., 3, 4, or 5-bit S-boxes). 56 However, most related studies have focused on the S-box construction to combine 57 with the linear functions such as word-oriented binary or MDS matrices [1,28,40]. 58 Contributions. In this paper, we introduce a construction method for a differ- 59 ent type of lightweight 8-bit S-boxes that are well-suited to a linear bit permu- 60 tation layer, based on which we develop many of new S-boxes with both DBN 61 and LBN of at least 3 and with efficient masked software implementations. We 1 62 employ one of them to design a new lightweight versatile block cipher PIPO , 1 PIPO stands for \Plug-In" and \Plug-Out", representing its use in side-channel pro- tected and unprotected environments, respectively. Title Suppressed Due to Excessive Length 3 63 which can be used in diverse resource-constrained environments, because it is 64 secure and efficient for multiple platforms. Our proposed S-box construction and 65 cipher have the following characteristics and advantages. 66 1. Our S-box construction methodology enables both DBN and LBN of at least 67 3, and this property, in combination with a bit permutation, enhances secu- 68 rity. It can be used in the construction of a variety of S-boxes from smaller 69 S-boxes. In this study, the Feistel, Lai{Massey, and unbalanced-MISTY struc- 70 tures as well as our proposed unbalanced-Bridge structure have been ana- 71 lyzed. Our framework eliminates all the input and output differences (or 72 masks) where the sum of their Hamming weights is two, during which some 73 conditions of the employed smaller S-boxes are induced. These conditions 74 could accelerate the S-box search, resulting in more than 8,000 new lightweight 75 8-bit S-boxes with both DBN and LBN of 3. Their bitsliced implementations 76 include 11 nonlinear bitwise operations each. One of them, whose crypto- 77 graphic properties and efficiency are overall superior or comparable to those 78 of state-of-the-art lightweight S-boxes, was employed for PIPO. Our method- 79 ology was also used to find more than 1,000 8-bit S-boxes with DBN of 4 and 80 LBN of 3. To the best of our knowledge, all the aforementioned S-boxes are 81 the first S-boxes with such properties. Furthermore, we found 6 and 7-bit 82 new S-boxes with both DBN and LBN of 3 which are more efficient than 83 existing ones. 84 2. During the PIPO design process, the focus was on minimizing the number of 85 nonlinear operations bacause this is the most significant factor for efficient 86 higher-order masking implementations. Consequently, PIPO-64/128 achieves 87 fast higher-order masking implementations on an 8-bit AVR, and its execu- 88 tion time increases less with the number of shares (i.e., the masking order) 89 compared with other lightweight 64-bit block ciphers with 128-bit keys. PIPO 90 also shows excellent performance on 8-bit microcontrollers. For the 128-bit 91 key version, the bitsliced implementation for a single-block data requires 92 only 320 bytes of ROM, 31 bytes of RAM, and 197 cycles/byte on an 8MHz 93 ATmega CPU. Accordingly, PIPO-64/128 outperforms other lightweight 64- 94 bit block ciphers with 128-bit keys in terms of 8-bit AVR implementa- 95 tions. It is also competitive in round-based hardware implementations. Using 96 130nm CMOS technology, the round-based and area optimized implemen- 97 tation of PIPO-64/128 requires only 1,446 gates and achieves 492 Kbps at 98 100KHz. Although more gates are required to implement PIPO-64/128 than 99 CRAFT-64/128 [13], Piccolo-64/128 [63], and SIMON-64/128 [12], it can be 100 implemented with at least twice the throughput. Accordingly, PIPO-64/128 101 records a higher FOM. Furthermore, PIPO can be efficiently implemented 102 with minimal memory consumption, other than for storing a plaintext (fol- 103 lowed by an intermediate state) and a key. Predefined tables are unnecessary 104 for the nonlinear and linear layers, due to their efficient bitsliced implemen- 105 tations. The advantage of low memory usage elevates PIPO as the preferred 106 choice for low-resource devices. 4 Hangi Kim et al. 107 Organization. In section 2, we introduce a method for constructing S-boxes 108 with DBN and LBN greater than 2. In section 3, we describe the S-box selection 109 procedure for PIPO and new other S-boxes, based on a comparison of our and 110 existing S-boxes. Section 4 specifies the PIPO cipher and its design choices, and 111 section 5 offers our security and performance evaluations of PIPO.