How Small Can S-boxes Be

Chenhao Jia; Tingting Cui; Qing Ling; Yan He; Kai Hu; Yu Sun; Meiqin Wang

Paper 2025/386

How Small Can S-boxes Be

Chenhao Jia, Hangzhou Dianzi University

Tingting Cui, Hangzhou Dianzi University

Qing Ling, Hangzhou Dianzi University

Yan He, Hangzhou Dianzi University

Kai Hu, Shandong University

Yu Sun, Shandong University

Meiqin Wang, Shandong University

Abstract

S-boxes are the most popular nonlinear building blocks used in symmetric-key primitives. Both cryptographic properties and implementation cost of an S-box are crucial for a good cipher design, especially for lightweight ones. This paper aims to determine the exact minimum area of optimal 4-bit S-boxes (whose differential uniform and linearity are both 4) under certain standard cell library. Firstly, we evaluate the upper and lower bounds upon the minimum area of S-boxes, by proposing a Prim-like greedy algorithm and utilizing properties of balanced Boolean functions to construct bijective S-boxes. Secondly, an SAT-aided automatic search tool is proposed that can simultaneously consider multiple cryptographic properties such as the uniform, linearity, algebraic degree, and the implementation costs such as area, and gate depth complexity. Thirdly, thanks to our tool, we manage to find the exact minimum area for different types of 4-bit S-boxes. The measurement in this paper uses the gate equivalent (GE) as standard unit under UMC 180 nm library, all 2/3/4-input logic gates are taken into consideration. Our results show that the minimum area of optimal 4-bit S-box is 11 GE and the depth is 3. If we do not use the 4-input gates, this minimum area increases to 12 GE and the depth in this case is 4, which is the same if we only use 2-input gates. If we further require that the S-boxes should not have fixed points, the minimum area continue increasing a bit to 12.33 GE while keeping the depth. Interestingly, the same results are also obtained for non-optimal 4-bit bijective S-boxes as long as their differential uniform and linearity (i.e., there is no non-trivial linear structures) if only 2-input and 3-input gates are used. But the minimum area reduce to 9 GE if 4-input gates are involved. More strictly, if we require the algebraic degree of all coordinate functions of optimal S-boxes be 3, the minimum area is 14 GE with fixed point and 14.33 GE without fixed point, and the depth increases sharply to 8. Besides determining the exact minimum area, our tool is also useful to search for a better implementation of existing S-boxes. As a result, we find out an implementation of Keccak's 5-bit S-box with 17 GE. As a contrast, the designer's original circuit has an area of 23.33 GE, while the optimized result by Lu et al. achieves an area of 17.66 GE. Also, we find out the first optimized implementation of SKINNY's 8-bit S-box with 26.67 GE.

Metadata

Available format(s): PDF
Category: Secret-key cryptography
Publication info: Published by the IACR in TOSC 2025
Keywords: S-box automatic search good cryptography properties minimum area SAT
Contact author(s): 222270059 @ hdu edu cn
cuitingting @ hdu edu cn
lingqing @ hdu edu cn
yan_he @ hdu edu cn
kai hu @ sdu edu cn
yu sun @ sdu edu cn
mqwang @ sdu edu cn
History: 2025-03-04: approved; 2025-02-28: received; See all versions
Short URL: https://ia.cr/2025/386
License: CC BY

BibTeX

@misc{cryptoeprint:2025/386,
      author = {Chenhao Jia and Tingting Cui and Qing Ling and Yan He and Kai Hu and Yu Sun and Meiqin Wang},
      title = {How Small Can S-boxes Be},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/386},
      year = {2025},
      url = {https://eprint.iacr.org/2025/386}
}