Lightweight and Side-channel Secure 4x4 S-Boxes from Cellular Automata Rules

This work focuses on side-channel resilient design strategies for symmetrickey cryptographic primitives targeting lightweight applications. In light of NIST’s lightweight cryptography project, design choices for block ciphers must consider not only security against traditional cryptanalysis, but also side-channel security, while adhering to low area and power requirements. In this paper, we explore design strategies for substitution-permutation network (SPN)-based block ciphers that make them amenable to low-cost threshold implementations (TI) - a provably secure strategy against side-channel attacks. The core building blocks for our strategy are cryptographically optimal 4×4 S-Boxes, implemented via repeated iterations of simple cellular automata (CA) rules. We present highly optimized TI circuits for such S-Boxes, that consume nearly 40% less area and power as compared to popular lightweight S-Boxes such as PRESENT and GIFT. We validate our claims via implementation results on ASIC using 180nm technology. We also present a comparison of TI circuits for two popular lightweight linear diffusion layer choices - bit permutations and MixColumns using almost-maximum-distance-separable (almost-MDS) matrices. We finally illustrate design paradigms that combine the aforementioned TI circuits for S-Boxes and diffusion layers to obtain fully side-channel secure SPN block cipher implementations with low area and power requirements.

[1]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[2]  Begül Bilgin,et al.  Threshold implementations : as countermeasure against higher-order differential power analysis , 2015 .

[3]  Stephen Wolfram,et al.  Cellular automata as models of complexity , 1984, Nature.

[4]  Kaisa Nyberg,et al.  On the Construction of Highly Nonlinear Permutations , 1992, EUROCRYPT.

[5]  Louis Goubin,et al.  DES and Differential Power Analysis (The "Duplication" Method) , 1999, CHES.

[6]  Ingrid Verbauwhede,et al.  A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[7]  Joan Daemen,et al.  Fast Hashing and Stream Encryption with PANAMA , 1998, FSE.

[8]  Markku-Juhani O. Saarinen Cryptographic Analysis of All 4 x 4 - Bit S-Boxes , 2011, IACR Cryptol. ePrint Arch..

[9]  Claude Carlet,et al.  Boolean Functions for Cryptography and Error-Correcting Codes , 2010, Boolean Models and Methods.

[10]  Nele Mentens,et al.  Design of S-boxes Defined with Cellular Automata Rules , 2017, Conf. Computing Frontiers.

[11]  Vincent Rijmen,et al.  Rijndael/AES , 2005, Encyclopedia of Cryptography and Security.

[12]  Mitsuru Matsui,et al.  A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[13]  Stephen Wolfram,et al.  Universality and complexity in cellular automata , 1983 .

[14]  Noen Given RECTANGLE : A Bit-slice Lightweight Block Cipher Suitable for Multiple Platforms , 2015 .

[15]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[16]  Amir Moradi,et al.  Leakage assessment methodology , 2016, Journal of Cryptographic Engineering.

[17]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[18]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[19]  Guido Bertoni,et al.  RadioGatún, a belt-and-mill hash function , 2006, IACR Cryptol. ePrint Arch..

[20]  S. Wolfram Statistical mechanics of cellular automata , 1983 .

[21]  François Durvaux,et al.  Cryptanalysis of the CHES 2009/2010 Random Delay Countermeasure , 2012, IACR Cryptol. ePrint Arch..

[22]  Joos Vandewalle,et al.  A New Approach to Block Cipher Design , 1993, FSE.

[23]  Joan Daemen,et al.  Subterranean: A 600 Mbit/sec cryptographic VLSI chip , 1993, Proceedings of 1993 IEEE International Conference on Computer Design ICCD'93.

[24]  Gregor Leander,et al.  On the Classification of 4 Bit S-Boxes , 2007, WAIFI.

[25]  Claude Carlet,et al.  Algebraic Attacks and Decomposition of Boolean Functions , 2004, EUROCRYPT.

[26]  Bogdanov Andrey,et al.  Midori: A Block Cipher for Low Energy , 2016 .

[27]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[28]  Ashrujit Ghoshal,et al.  Several Masked Implementations of the Boyar-Peralta AES S-Box , 2017, INDOCRYPT.

[29]  Vincent Rijmen,et al.  Threshold Implementations Against Side-Channel Attacks and Glitches , 2006, ICICS.

[30]  Kaisa Nyberg,et al.  S-boxes and Round Functions with Controllable Linearity and Differential Uniformity , 1994, FSE.

[31]  Klaus Sutner,et al.  De Bruijn Graphs and Linear Cellular Automata , 1991, Complex Syst..

[32]  Emmanuel Prouff,et al.  Provably Secure Higher-Order Masking of AES , 2010, IACR Cryptol. ePrint Arch..

[33]  Domagoj Jakobovic,et al.  Cellular automata based S-boxes , 2018, Cryptography and Communications.

[34]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[35]  Claude Carlet,et al.  Vectorial Boolean Functions for Cryptography , 2006 .

[36]  Ingrid Verbauwhede,et al.  Consolidating Masking Schemes , 2015, CRYPTO.

[37]  Vincent Rijmen,et al.  Higher-Order Threshold Implementations , 2014, ASIACRYPT.

[38]  Stefan Mangard,et al.  Successfully Attacking Masked AES Hardware Implementations , 2005, CHES.

[39]  Thomas Peyrin,et al.  GIFT: A Small Present , 2017, IACR Cryptol. ePrint Arch..

[40]  Michaël Quisquater,et al.  Thwarting Higher-Order Side Channel Analysis with Additive and Multiplicative Maskings , 2011, CHES.

[41]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[42]  S. Kyoji,et al.  Piccolo: An Ultra-Lightweight Blockcipher , 2011 .

[43]  Amir Moradi,et al.  Side-Channel Resistant Crypto for Less than 2,300 GE , 2011, Journal of Cryptology.

[44]  U. S. Army Decision Procedures for Surjectivity and Injectivity of Parallel Maps for Tessellation Structures , 2007 .