Paper 2023/750

BAKSHEESH: Similar Yet Different From GIFT

Anubhab Baksi, Nanyang Technological University
Jakub Breier, Graz University of Technology, Silicon Austria Labs, Graz, Austria
Anupam Chattopadhyay, Nanyang Technological University
Tomáš Gerlich, Brno University of Technology
Sylvain Guilley, Télécom ParisTech, France, Secure-IC, Cesson-Sévigné, France
Naina Gupta, Nanyang Technological University
Takanori Isobe, University of Hyogo, Kobe, Japan
Arpan Jati, Nanyang Technological University
Petr Jedlicka, Brno University of Technology, Brno, Czechia
Hyunjun Kim, Hansung University, Seoul, South Korea
Fukang Liu, University of Hyogo, Kobe, Japan
Zdeněk Martinásek, Brno University of Technology
Kosei Sakamoto, University of Hyogo, Kobe, Japan
Hwajeong Seo, Hansung University
Rentaro Shiba, University of Hyogo
Ritu Ranjan Shrivastwa, Secure-IC, Cesson-Sévigné, France

We propose a lightweight block cipher named BAKSHEESH, which follows up on the popular cipher GIFT-128 (CHES'17). BAKSHEESH runs for 35 rounds, which is 12.50 percent smaller compared to GIFT-128 (runs for 40 rounds) while maintaining the same security claims against the classical attacks. The crux of BAKSHEESH is to use a 4-bit SBox that has a non-trivial Linear Structure (LS). An SBox with one or more non-trivial LS has not been used in a cipher construction until DEFAULT (Asiacrypt'21). DEFAULT is pitched to have inherent protection against the Differential Fault Attack (DFA), thanks to its SBox having 3 non-trivial LS. BAKSHEESH, however, uses an SBox with only 1 non-trivial LS; and is a traditional cipher just like GIFT-128, with no claims against DFA. The SBox requires a low number of AND gates, making BAKSHEESH suitable for side channel countermeasures (when compared to GIFT-128) and other niche applications. Indeed, our study on the cost of the threshold implementation shows that BAKSHEESH offers a few-fold advantage over other lightweight ciphers. The design is not much deviated from its predecessor (GIFT-128), thereby allowing for easy implementation (such as fix-slicing in software). However, BAKSHEESH opts for the full-round key XOR, compared to the half-round key XOR in GIFT. Thus, when taking everything into account, we show how a cipher construction can benefit from the unique vantage point of using 1 LS SBox, by combining the state-of-the-art progress in classical cryptanalysis and protection against device-dependent attacks. We, therefore, create a new paradigm of lightweight ciphers, by adequate deliberation on the design choice, and solidify it with appropriate security analysis and ample implementation/benchmark.

Available format(s)
Secret-key cryptography
Publication info
lightweight cryptographyblock cipherthreshold implementationfault attackgiftdefaultlinear structure
Contact author(s)
anubhab baksi @ ntu edu sg
jbreier @ jbreier com
anupam @ ntu edu sg
xgerli02 @ stud feec vutbr cz
sylvain guilley @ telecom-paristech fr
naina003 @ e ntu edu sg
takanori isobe @ ai u-hyogo ac jp
arpan jati @ ntu edu sg
xjedli23 @ vut cz
khj930704 @ gmail com
liufukangs @ gmail com
martinasek @ feec vutbr cz
k sakamoto0728 @ gmail com
hwajeong84 @ gmail com
rentaro shiba @ gmail com
ritu-ranjan shrivastwa @ secure-ic com
2023-07-12: last of 5 revisions
2023-05-24: received
See all versions
Short URL
Creative Commons Attribution-NonCommercial-ShareAlike


      author = {Anubhab Baksi and Jakub Breier and Anupam Chattopadhyay and Tomáš Gerlich and Sylvain Guilley and Naina Gupta and Takanori Isobe and Arpan Jati and Petr Jedlicka and Hyunjun Kim and Fukang Liu and Zdeněk Martinásek and Kosei Sakamoto and Hwajeong Seo and Rentaro Shiba and Ritu Ranjan Shrivastwa},
      title = {{BAKSHEESH}: Similar Yet Different From {GIFT}},
      howpublished = {Cryptology ePrint Archive, Paper 2023/750},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.