Paper 2020/1582

A New Method for Designing Lightweight S-boxes with High Differential and Linear Branch Numbers, and Its Application

Hangi Kim and Yongjin Jeon and Giyoon Kim and Jongsung Kim and Bo-Yeon Sim and Dong-Guk Han and Hwajeong Seo and Seonggyeom Kim and Seokhie Hong and Jaechul Sung and Deukjo Hong

Abstract

Bit permutations are efficient linear functions often used for lightweight cipher designs. However, they have low diffusion effects, compared to word-oriented binary and MDS matrices. Thus, the security of bit permutation-based ciphers is significantly affected by differential and linear branch numbers (DBN and LBN) of nonlinear functions. In this paper, we introduce a widely applicable method for constructing S-boxes with high DBN and LBN. Our method exploits constructions of S-boxes from smaller S-boxes and it derives/proves the required conditions for smaller S-boxes so that the DBN and LBN of the constructed S-boxes are at least 3. These conditions enable us to significantly reduce the search space required to create such S-boxes. In order to make cryptographically good and efficient S-boxes, we propose a unbalanced-Bridge structure that accepts one 3-bit and two 5-bit S-boxes, and produces 8-bit S-boxes. Using the proposed structure, we develop a variety of new lightweight S-boxes that provide not only both DBN and LBN of at least 3 but also efficient bitsliced implementations including at most 11 nonlinear bitwise operations. The new S-boxes are the first that exhibit these characteristics. Moreover, we propose a block cipher PIPO based on one of the new S-boxes, which supports a 64-bit plaintext and a 128 or 256-bit key. Our implementations demonstrate that PIPO outperforms existing block ciphers (for the same block and key lengths) in both side-channel protected and unprotected environments, on an 8-bit AVR. The security of PIPO has been scrutinized with regards to state-of-the-art cryptanalysis.

Note: This paper is partially based on the paper "PIPO: A Lightweight Block Cipher with Efficient Higher-Order Masking Software Implementations" presented at the 23rd annual International Conference on Information Security and Cryptology (ICISC 2020). But, it is not published yet.