Threshold Implementations of All 3x3 and 4x4 S

Threshold Implementations of All 3x3 and 4x4 S
Threshold Implementations of all
3 × 3 and 4 × 4 S-boxes
Begul Bilgin1,3 , Svetla Nikova1 , Ventzislav Nikov4 , Vincent Rijmen1,2 ,
and Georg Stütz2
1
Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC and IBBT, Belgium
2
Graz University of Technology, IAIK, Austria
3
University of Twente, EEMCS-DIES, The Netherlands
4
NXP Semiconductors, Belgium
Abstract. Side-channel attacks have proven many hardware implementations of cryptographic algorithms to be vulnerable. A recently proposed
masking method, based on secret sharing and multi-party computation
methods, introduces a set of sufficient requirements for implementations
to be provably resistant against first-order DPA with minimal assumptions on the hardware. The original paper doesn’t describe how to construct the Boolean functions that are to be used in the implementation.
In this paper, we derive the functions for all invertible 3×3, 4×4 S-boxes
and the 6 × 4 DES S-boxes. Our methods and observations can also be
used to accelerate the search for sharings of larger (e.g. 8 × 8) S-boxes.
Finally, we investigate the cost of such protection.
Keywords: DPA, masking, glitches, sharing, nonlinear functions, S-box,
decomposition
1
Introduction
Side-channel analysis exploits the information leaked during the computation of a cryptographic algorithm. The most common technique is to
analyze the power consumption of a cryptographic device using differential power analysis (DPA). This side-channel attack exploits the correlation between the instantaneous power consumption of a device and the
intermediate results of a cryptographic algorithm.
Several countermeasures against side-channel attacks have been proposed. Circuit design approaches [30] try to balance the power consumption of different data values. Another method is to randomize the intermediate values of an algorithm by masking them. This can be done at
the algorithm level [1, 4, 11, 23], at the gate level [12, 26, 31] or even in
combination with circuit design approaches [24].
Many of these approaches result in very secure software implementations. However, it has been shown that hardware implementations are
much more difficult to protect against DPA [16]. The problem of most of
these masking approaches is that they underestimate the amount of information that is leaked by hardware, for instance during glitches or other
transient effects. The security proofs are based on an idealized hardware
model, resulting in requirements on the hardware that are very expensive
to meet in practice. The main advantages of the threshold implementation
approach are that it provides provable security against first-order DPA
attacks with minimal assumptions on the hardware technology, in particular, it is also secure in the presence of glitches, and that the method
allows to construct realistic-size circuits [19, 21, 22].
1.1
Organization and contributions of this paper
The remainder of this paper is organized as follows. In Section 2 we introduce the notation and provide some background material. Section 2.6
contains our first contribution: a classification of S-boxes which simplifies the task to find implementations for all S-boxes. In Section 3 we
present our second contribution: a method to decompose permutations
as a composition of quadratic ones. We prove that all 4-bit S-boxes in the
alternating group can be decomposed in this way. We extend the sharing
method in Section 4 and show that all 3 × 3, 4 × 4 and DES 6 × 4 S-boxes
can be shared with minimum 3 and/or 4 shares. We investigate the cost
of an HW implementation of the shared S-boxes in Section 5. We present
some ideas for further improvements in Section 6 Finally, we conclude in
Section 7.
2
Preliminaries
We consider n-bit permutations sometimes defined over a vector space F2n
or over a finite field GF (2n ). The degree of such a permutation F is the
algebraic degree of the (n, n) vectorial Boolean function [5] or also called
n-bit S-box. Any such function F (x) can be considered as an n-tuple
of Boolean functions (f1 (x), . . . , fn (x)) called the coordinate functions of
F (x).
2.1
Threshold implementations
Threshold implementations (TI), are a kind of side-channel attack countermeasures, based on secret sharing schemes and techniques from multiparty computation. The approach can be summarized as follows. Split
P
a variable x into s additive shares xi with x =
i xi and denote the
vector of the s shares xi by x = (x1 , x2 , . . . , xs ). In order to implement
a function a = F (x, y, z, . . . ) from F2m to F2n , the TI method requires a
sharing, i.e. a set of s functions Fi which together compute the output(s)
of F . A sharing needs to satisfy three properties:
P
Correctness:Pa = F (x,P
y, z, . . . ) =P i Fi (x, y, z, . . . ) for all x, y, z, . . .
satisfying i xi = x, i yi = y, i zi = z, . . .
Non-completeness: Every function is independent of at least one share
of the input variables x, y, z. This is often translated to “Fi should be
independent of xi , yi , zi , . . . .”
P
Uniformity (balancedness): For all (a1 , a2 , . . . , as ) satisfying i ai =
a, the number of tuples (x, y, z, . . . ) ∈ F ms for which Fj (x, y, z, . . . ) =
aj , 1 ≤ j ≤ s, is equal to 2(s−1)(m−n) times the number of (x, y, z, . . . ) ∈
F m for which a = F (x, y, z, . . . ). Hence, if F is a permutation on F m ,
then the functions Fi define together a permutation on F ms . In other
words, the sharing preserves the output distribution.
This approach results in combinational logic with the following properties. Firstly, since each Fi is completely independent of the unmasked
values, also the subcircuits implementing them are, even in the presence
of glitches. Because of the linearity of the expectation operator, the same
holds true for the average power consumption of the whole circuit, or any
linear combination of the power consumptions of the subcircuits. This
implies perfect resistance against all first-order side-channel attacks [22].
The approach was recently extended and applied to Noekeon [22], Keccak [3], Present [25] and AES [18]. Whereas it is easy to construct for
any function a sharing satisfying the first two properties, the uniformity
property poses more problems. Hence reasonable questions to ask are:
which functions (S-boxes) can be shared with this approach, how many
shares are required and how can we construct such sharing?
A similar approach was followed in [27], where Shamir’s secret sharing scheme is used to construct hardware secure against dth-order sidechannel attacks in the presence of glitches. Instead of constructing dedicated functions Fi , they propose a general method which replaces every
field multiplication by 4d3 field multiplications and 4d3 additions, using
2d2 bytes of randomness. While the method is applicable everywhere, in
principle, there are cases where it may prove too costly.
2.2
Decomposition as a tool to facilitate sharing
In order to share a nonlinear function (S-box) with algebraic degree d, at
least d+1 shares are needed [19, Theorem 1]. Several examples of functions
shared with 3 shares, namely quadratic Boolean function of two and three
variables, multiplication on the extension field GF (22m )/GF (2m ) (e.g.
multiplication in GF (4)), and the Noekeon S-box have been provided
[19, 21, 22]. A realization of the inversion in GF (16) with 5 shares was
given in [19]. Since the area requirements of an implementation increase
with the number of shares, it is desirable to keep the number of shares as
low as possible.
The block ciphers Noekeon and Present have been designed for compact hardware implementations. They have S-boxes, which are not very
complex 4 × 4 cubic permutations. Realizations for these two block ciphers have been presented for Noekeon in [21, 22] and in [25] for Present.
In order to decrease the algebraic degree of the functions for which sharings need to be found, these three realizations decompose the S-box into
two parts. For the Present S-box, decompositions S(x) = F (G(x)) with
G(0) = 0 have been found [25] where F (x) and G(x) are quadratic permutations. By varying the constant term G(0) the authors found all possible
decompositions of S(X) = F (G(X)). Both S-boxes F (x), G(x) have been
shared with three shares (F1 , F2 , F3 ) and (G1 , G2 , G3 ) that are correct,
non-complete and uniform. Figure 1 illustrates this approach.
Fig. 1: Decomposition approach
When the AES S-box (with algebraic degree seven) is presented using
the tower field approach, the only nonlinear operation is the multiplication
in GF (4), which is a quadratic mapping [18]. This observation has lead
to a TI for AES with 3 shares. In order to guarantee the uniformity, resharing (also called re-masking) has been used four times. Re-sharing is a
technique where fresh uniform and random masks/shares are added inside
a pipeline stage in order to make the shares follow an uniform distribution
again.
A novel fault attack technique against several AES cores including
one claimed to be protected with TI method has been proposed in [17].
But as the authors pointed out, contrary to the AES TI implementation
in [18], their targeted core has been made without satisfying the noncompleteness and uniformity properties by “sharing” the AND gates with
4 shares formula from [18,19]. Since the used method does not satisfy the
TI properties it should not be called a TI implementation of AES. In
addition, the TI method was never claimed to provide protection against
fault attacks.
2.3
Equivalence classes for n = 2, 3, 4
Definition 1. [7] Two S-boxes S1 (x) and S2 (x) are affine/linear equivalent if there exists a pair of invertible affine/linear permutation A(x) and
B(x), such that S1 = B ◦ S2 ◦ A.
Every invertible affine permutation A(x) can be written as A · x + a with
a an n-bit constant and A an n×n matrix which is invertible over GF (2).
It follows that there are
n
2 ×
n−1
Y
(2n − 2i )
(1)
i=0
different invertible affine permutations.
The relation “being affine equivalent” can be used to define equivalence classes. We now investigate the number of classes of invertible n × n
S-boxes for n = 2, 3, 4. Note that the algebraic degree is affine invariant,
hence all S-boxes in a class have the same algebraic degree.
It is well known that all invertible 2 × 2 S-boxes are affine, hence there
is only one class. The set of invertible 3×3 S-boxes contains 4 equivalence
classes [7]: 3 classes containing quadratic functions, and one class containing the affine functions. Table 7 in the Appendix lists a representative of
each class.
The maximal algebraic degree of a balanced 4-variable Boolean function is 3 [6, 15]. De Cannière uses an algorithm to search for the affine
equivalent classes which guesses the affine permutation A for as few input
points as possible, and then uses the linearity of A and B to follow the
implications of these guesses as far as possible. This search is accelerated by applying the next observation, which follows from linear algebra
arguments (change of basis):
Lemma 1 ([14]). Let S be an n×n bijection. Then S is affine equivalent
to an S-box S̃ with S̃(0) = 0, S̃(1) = 1, S̃(2) = 2, . . . , S̃(2n−1 ) = 2n−1 .
In the case n = 4, this observation reduces the search space from 16! ≈ 244
to 11! ≈ 225 .
De Cannière lists the 302 equivalence classes for the 4 × 4 bijections
[7]: the class of affine functions, 6 classes containing quadratic functions
and the remaining 295 classes containing cubic functions. 1 The classes
are listed in Tables 8–10 in the Appendix. The numbering of the classes
is derived from the lexicographical ordering of the truth tables of the Sboxes. In order to increase readability, we introduce the following notation
Ani , Qnj , Ckn to denote the Affine class number i, Quadratic class number
j and Cubic class number k of permutations of F2n .
2.4
Order of a permutation
All bijections from a set X to itself (also called permutations) form the
symmetric group on X denoted by SX . A transposition is a permutation which exchanges two elements and keeps all others fixed. A classical
theorem states that every permutation can be written as a product of
transpositions [28], and although the representation of a permutation as
a product of transpositions is not unique, the number of transpositions
needed to represent a given permutation is either always even or always
odd. The set of all even permutations form a normal subgroup of SX ,
which is called the alternating group on X and denoted by AX . The alternating group contains half of the elements of SX . Instead of AX and
SX , we will write here An and Sn , where n is the size of the set X.
2.5
Known S-boxes and their classes
There are only few cryptographically significant 3 × 3 S-boxes: the Inversion in GF (23 ), the PRINTcipher [13], the Threeway [9] and the Baseking
[10] S-boxes. They all belong to Class 3. There are many cryptographically significant 4 × 4 S-boxes. Table 11 in the Appendix lists some of
them and the class to which they belong.
2.6
The inverse S-box
Note that S −1 , the inverse S-box, is not necessarily affine equivalent to
S and in this case may not have the same algebraic degree. We know
1
Independent of [7, 14], Saarinen classified the 4 × 4 S-boxes using a different equivalence relation [29].
however, that the inverse of an affine permutation is always an affine
permutation. In the case of 3 × 3 S-boxes it follows that the inverse of
a quadratic permutation is again a quadratic permutation. Moreover, it
can be shown that the 3 quadratic classes in S8 are self-inverse, i.e. S −1
belongs to the same class as S. In the case n = 4, we can apply the
following lemma.
Lemma 2 ([5]). Let F be a permutation of GF (2n ), then deg(F −1 ) =
n − 1 if and only if deg(F ) = n − 1.
Since the inverse of an affine S-box is affine, and, when n = 4, the inverse
of a cubic S-box is cubic, it follows that in this case the inverse of a
quadratic S-box is quadratic. The Keccak S-box (n = 5) [2] is as an
example where the algebraic degree of the inverse S-box (3) is different
from the algebraic degree of the S-box itself (2).
We have observed that there are 172 self-inverse classes in S16 . The
remaining 130 classes form 65 pairs, i.e., any S-box S of the first class has
an inverse S-box S −1 in the second class (and vice versa). Table 1 gives
the list of the pairs of inverse classes.
Table 1: Pairs of inverse classes
65 pairs of inverse classes; the remaining 172 classes are self-inverse
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
(C29
,C30
),(C33
,C34
),(C39
,C40
),(C43
,C44
), (C47
,C48
),(C49
,C50
),(C52
,C53
),(C58
,C59
), (C60
,C61
),
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
(C63 ,C64 ),(C66 ,C67 ),(C68 ,C69 ),(C70 ,C71 ), (C73 ,C74 ),(C79 ,C80 ),(C85 ,C86 ),(C87 ,C88 ), (C90 ,C91
),
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
4
(C93
,C94
),(C95
,C96
),(C97
,C98
),(C103
,C104
), (C105
,C106
),(C108
,C109
),(C110
,C111
), (C112
,C113
),
4
4
4
4
4
4
4
4
4
4
4
4
4
4
(C114
,C115
),(C116
,C117
), (C120
,C121
), (C123
,C124
),(C126
,C127
),(C128
,C129
), (C130
,C131
),
4
4
4
4
4
4
4
4
4
4
4
4
4
4
(C132 ,C133 ),(C143 ,C144 ),(C147 ,C148 ), (C150 ,C151 ),(C152 ,C153 ),(C154 ,C155 ), (C156 ,C157 ),
4
4
4
4
4
4
4
4
4
4
4
4
4
4
(C158
,C159
),(C161
,C162
),(C164
,C165
), (C166
,C167
),(C169
,C170
),(C171
,C172
), (C181
,C182
),
4
4
4
4
4
4
4
4
4
4
4
4
4
4
(C183
,C184
),(C185
,C186
),(C190
,C191
), (C199
,C200
),(C201
,C202
),(C203
,C204
), (C206
,C207
),
4
4
4
4
4
4
4
4
4
4
4
4
4
4
(C209
,C210
),(C211
,C212
),(C214
,C215
), (C226
,C227
),(C229
,C230
),(C233
,C234
), (C241
,C242
),
4
4
4
4
4
4
4
4
(C243
,C244
),(C256
,C257
),(C259
,C260
), (C296
,C297
).
3
Decomposition of 4 × 4 S-boxes
In this section we consider all 4 × 4 bijections, and investigate when a
cubic bijection from S16 can be decomposed as a composition of quadratic
bijections. We will refer to the minimum number of quadratic bijections
in such a decomposition as decomposition length. Recall that the Noekeon
S-box is cubic but defined as a composition of two quadratic S-boxes in
F24 : S(x) = S2 (S1 (x)). Similarly the Present S-box is cubic but has also
been shown to be decomposable in two quadratic S-boxes.
Lemma 3. If an S-box S can be decomposed into a sequence of t quadratic
S-boxes, then all S-boxes which are affine equivalent to S can be decomposed into a sequence of t quadratic S-boxes.
Proof. Let S be a cubic permutation which can be decomposed as a composition of quadratic bijections Q1 ◦ Q2 ◦ . . . ◦ Qt−1 ◦ Qt with length t.
Let W be an S-box which is affine equivalent to S. By definition, there
exist affine permutations A and B s.t. W = B ◦ S ◦ A. Therefore W =
B ◦Q1 ◦Q2 ◦. . .◦Qt−1 ◦Qt ◦A, now by defining two quadratic permutations
Q01 = B ◦ Q1 and Q0t = Qt ◦ A we obtain that W = Q01 ◦ Q2 ◦ . . . ◦ Qt−1 ◦ Q0t
has a decomposition with quadratic permutations and that its length is
t.
t
u
Lemma 4 ([32]). For all n, the n × n affine bijections are in the alternating group.
Lemma 5. All 4 × 4 quadratic S-boxes belong to the alternating group
A16 .
Proof. Since all invertible affine transformations are in the alternating
group (the previous Lemma), two S-boxes which are affine equivalent,
are either both even or both odd. We have taken one representative of
each of the 6 quadratic classes Q4i for i ∈ {4, 12, 293, 294, 299, 300} [7] and
have verified that their parities are even.
t
u
Now we investigate which permutations we can generate by combining
the affine and the quadratic permutations. We start with the following
lemma.
Lemma 6. Let Qi be 6 arbitrarily selected representatives of the 6 quadratic
classes Q4i . (Hence i ∈ {4, 12, 293, 294, 299, 300}.) Then all cubic permutations S that have decomposition length 2, are affine equivalent to one
of the cubic permutation that can be written as
S̃i×j = Qi ◦ A ◦ Qj ,
(2)
where A is an invertible affine permutation and i, j ∈ {4, 12, 293, 294, 299,
300}.
Proof. Assume that S = Qa ◦ Qb . Then we know that there are invertible
affine maps Aa , Ba , Ab , Bb such that S = (Ba ◦ Qi ◦ Aa ) ◦ (Bb ◦ Qj ◦ Ab ),
where Qi , Qj are two of the representatives defined above. We choose
A = Aa ◦ Bb and S̃i×j = Ba −1 ◦ S ◦ Ab −1 .
t
u
It follows that we can construct all cubic classes of decomposition length
2 by running through the 36 possibilities of i×j and the 322560 invertible
affine transformations in (2). This approach produces 30 cubic classes. In
the remainder, we will denote the S-boxes S̃i×j by i × j and refer to them
as the simple solutions. Table 12 in the Appendix lists the simple solutions
for all 30 decompositions with length 2. Note that if Qi ◦A◦Qj = S, i.e. S
−1
−1
−1
can be decomposed as a product of i×j, then Q−1
j ◦A ◦Qi = S . Since
for n = 4 all quadratics are affine equivalent to their inverse, it follows
that S −1 is decomposed as a product of j × i. Thus any self-inverse class
has decomposition i × j and j × i as well. For the pairs of inverse classes
we conclude that if i × j belongs to the first class then j × i belongs to
the second class.
To obtain all decompositions with length 3 we use similar approach as
for length 2 but the first permutation Qi is cubic (instead of quadratic)
and belongs to the already found list of cubic classes decomposable with
length 2. It turns out that we can generate in this way the 114 remaining
elements of A16 .
Summarizing, we can prove the following Theorem and Lemma (stated
without proof in [8]).
Theorem 1. A 4 × 4 bijection can be decomposed using quadratic bijections if and only if it belongs to the alternating group A16 (151 classes).
Proof. (⇒) Let S be a bijection which can be decomposed with quadratic
permutations say Q1 ◦ Q2 ◦ . . . ◦ Qt . Since all Qi ∈ A16 (Lemma 5) and
the alternating group is closed it follows that S ∈ A16 .
(⇐) Lemma 3, Lemma 6 and the discussion following it imply that we
can generate all elements of the alternating group using quadratic permutations.
t
u
The left-hand-side columns of Table 2 list the decompositions of all 4×4 Sboxes. Theorem 1 implies that the classes which are not in the alternative
group i.e. in S16 \ A16 , can’t be decomposed as a product of quadratic
classes. Now we make the following simple observation:
Lemma 7. Let S̃ be a fixed permutation in S16 \ A16 then any cubic
permutation from S16 \ A16 can be presented as a product of S̃ and a
permutation from A16 .
Proof. By definition, all permutations in S16 \ A16 are odd permutations,
and if S̃ ∈ S16 \ A16 , then S̃ −1 ∈ S16 \ A16 . Since the product of two odd
permutations is even, we have: ∀S ∈ S16 \ A16 : S ◦ S̃ −1 ∈ A16 . It follows
that ∃T ∈ A16 : S ◦ S̃ −1 = T , i.e. S = T ◦ S̃.
t
u
4
Sharing with 3, 4 and 5 shares
In this section we focus first on the permutations which can be shared
with 3 shares, i.e. all S-boxes in F23 and half of the S-boxes in F24 . Next we
focus on those functions that can be shared with 4 shares, i.e. the other
half of the S-boxes in F24 . Then, we will show how to share all of these
S-boxes in F24 with 5 shares without need of a decomposition.
4.1
A basic result
Theorem 2. If we have a sharing for a representative of a class, then
we can derive a sharing for all S-boxes from the same class.
Proof. Let S be an n × n S-box which has a uniform, non-complete and
correct sharing S̄ using s shares Si . Denote the input vector of S by x,
and the shares by xi . Each Si contains n coordinate shared functions
depending on at most (s − 1) of the xi , such that the noncompleteness
property is satisfied. We denote by xi the vector containing the s − 1
inputs of Si .
We now construct a uniform, non-complete and correct sharing for
any S-box S̃ which is affine equivalent to S. By definition, there exist two
n × n invertible affine permutations A and B s.t. S̃ = B ◦ S ◦ A. In order
to lighten notation, we give the proof for the case that A and B are linear
permutations. We define Ā, B̄ as the ns × ns permutations that apply A,
respectively B, to each of the shares separately:
Ā(x1 , x2 , . . . xs ) = (A(x1 ), A(x2 ), . . . A(xs )),
B̄(x1 , x2 , . . . xs ) = (B(x1 ), B(x2 ), . . . B(xs )).
Denote yi = A(xi ), 1 ≤ i ≤ s and define yi as the vector containing the s−
1 shares yi that we need to compute Si . Consider S̄(Ā(x1 , x2 , . . . , xs )) =
(S1 (y1 ), S2 (y2 ), . . . Ss (ys )). By slight abuse of notation we can write yi =
Ā(xi ) and see that the noncompleteness of the S̄i is preserved in S̄ ◦ Ā.
Since Ā is a permutation, it preserves the uniformity of the input and
since S̄ is uniform so will be the composition S̄ ◦ Ā. The correctness
follows from the fact that S̄ is a correct sharing and that
y1 +y2 +· · ·+ys = A(x1 )+A(x2 )+· · ·+A(xs ) = A(x1 +x2 +. . . xs ) = A(x).
Consider now B̄(S̄(A(x))) = (B(S1 (y1 )), B(S2 (y2 )), . . . , B(Ss (ys ))). Since
B̄ is a permutation, it preserves uniformity of the output and since S̄
is uniform, the composition B̄ ◦ S̄ is uniform. The composition is noncomplete since the S̄i are non-complete and B̄ doesn’t combine different
shares. Correctness follows from the fact that S̄ is a correct sharing and
hence
B(S1 (y1 )) +B(S2 (y2 )) + · · · + B(Ss (ys ))
= B(S1 (y1 ) +S2 (y2 ) + · · · + Ss (ys )) = B(S(A(x))).
4.2
t
u
Direct sharing
The most difficult property to be satisfied when the function is shared
is the uniformity. Assume that we want to construct a sharing for the
function F (x, y, z) with 3 shares. Then it is easy to produce a sharing
which satisfies the correctness and the non-completeness requirements
and is rotation symmetric, by means of a method that we call the direct
sharing method, and that we now describe. First, we replace every input
variable by the sum of 3 shares. The correctness is satisfied if we ensure
that
F1 + F2 + F3 = F (x1 + x2 + x3 , y1 + y2 + y3 , z1 + z2 + z3 ).
In order to satisfy non-completeness, we have to divide the terms of the
right hand side over the three Fj in such a way that Fj doesn’t contain
a term in xj . We achieve this by assigning the linear terms containing
an index j to Fj−1 , the quadratic terms containing indices j and j + 1
to Fj−1 and the quadratic terms containing indices j only to Fj−1 . For
example,
F (x, y, z) = x + yz, gives:
F1 = x2 + z2 y2 + z2 y3 + z3 y2
F2 = x3 + z3 y3 + z3 y1 + z1 y3
F3 = x1 + z1 y1 + z1 y2 + z2 y1 .
Note that the uniformity of sharing produced in this way is not guaranteed. It has to be verified separately. The method can easily be generalized
for larger number of shares.
Direct sharing has been used in [25] for the decomposition of the
quadratic permutations F and G of the Present S-box S and similarly for
Noekeon [22], Keccak [3].
With the direct sharing method we were able to find sharings respecting the uniformity condition for all 1344 permutations of Q31 , but none of
Q32 and Q33 . We were also able to find sharings for all 322560 permutations
of Q44 , Q4294 and Q4299 , but none of Q412 , Q4293 and Q4300 . So, unfortunately
half of the quadratic S-boxes can’t be shared directly with length 1 but we
still can find a sharing with length 2 by decomposing them as a composition of the already shared quadratic S-boxes. Thus, if we use only direct
sharing we will be able to find sharings for all S-boxes in the alternating
group but at the cost of longer path.
4.3
Correction terms
Since direct sharing not always results in an uniform sharing the use of
correction terms (CT) has been proposed [19, 21]. Correction terms are
terms that can be added in pairs to more than one share such that they
satisfy the non-completeness rule. Since the terms in a pair cancel each
other, the sharing still satisfies the correctness.
By varying the CT one can obtain all possible sharings of a given
function. Consider a Boolean quadratic function with m variables (1 output bit), which we want to share with 3 shares. Note that the only terms
which can be used as CT are xi or xi yi (or higher degree) for i = 1, 2, 3.
Indeed terms like xi yj for i 6= j can’t be used in the i-th and j-th share
of the function because of the non-completeness rule and therefore such
a term can be used in only 1 share, hence it can’t be used as a CT.
Thus counting only the linear and quadratic CT and ignoring the
constant terms, which will not influence the uniformity, for
a quadratic
function with m variables we obtain that there are 3(m+ m
2 ) CT. Taking
)
3(m+(m
2 ) sharings.
into account all possible positions for the CT we get 2
For example, for a quadratic function of 3 variables there are 218 possible
CT and therefore for a 3 × 3 S-boxes the search space will be 254 . This
makes the exhaustive search (to find a single good solution) over all CT
unpractical, even for small S-boxes. For sharing with 4 shares even more
terms can be used as CT.
4.4
A link between the 3 × 3 S-boxes and some quadratic
4 × 4 S-boxes
Lemma 8. There is a transformation which expands Q31 , Q32 and Q33 into
Q44 , Q412 and Q4300 correspondingly.
Proof. Starting from a 3 × 3 S-box S and adding a new variable we can
obtain a 4 × 4 S-box S̃. Namely, the transformation is defined as follows:
let S(w, v, u) = (y1, y2, y3) and define S̃(x, w, v, u) = (y1, y2, y3, x). It is
easy to check that this transformation maps the first 3 classes into the
other 3 classes.
t
u
The relation from Lemma 8 explains why if we have a sharing for a class
in F23 we also obtain a sharing for the corresponding class in F24 and vice
versa, i.e., if we can’t share a class the corresponding class also can’t be
shared. The results we have obtained with 3 shares are summarized in
Table 2 (middle columns).
Recall that if we use only direct sharing we will be able to share with
3 shares all S-boxes in the alternating group but at the cost of longer
path than the one obtained by decomposition. However using CT we
found sharing for classes: Q31 , Q32 , Q44 , Q412 , Q4293 , Q4294 and Q4299 . So all
quadratic classes except Q33 and Q4300 can be shared with 3 shares and
without decomposition. We want to pose an open question: find sharing
without decomposition to classes Q33 and Q4300 or show why they can’t be
shared with 3 shares in that way.
4.5
Sharing using decomposition
As an alternative to the search through a set of correction terms, we can
also construct sharings after using decomposition: we try to decompose
S-boxes into S-boxes for which we already have sharings. This decomposition problem is more restrained than the basic problem discussed in
Section 3 for sharing with 3 shares, since we can use only the quadratic
S-boxes for which we already have a sharing. It turns out that this extra
requirement sometimes increases the decomposition length by one. For
example, decomposition for Q33 is 1 × 2 and 2 × 1, i.e., we obtain a sharing
for Q33 at the cost of length 2 (instead of length 1). Similarly Q4300 can be
decomposed as 4×12, 4×293, 12×4, 12×294, 293×4, 293×294, 294×12
and 294 × 293 so, again we obtain a sharing with length 2. Table 2 (right
columns) gives the results.
Recall that one can’t find a sharing with 3 shares for cubic functions
outside the alternating group. Thus, 4 shares will be required in this case.
Using direct sharing with 4 shares we obtain slightly better results for
the quadratic S-boxes compared to 3 shares since we were able to share
also class Q4300 (and therefore Q33 too). The sharing of class Q4300 has
4 , C4
4
further improved the sharings of C130
131 and C24 which have sharing
with shorter length for 4 shares than for 3 shares. We have also found
4 and C 4
sharings with 4 shares for the cubic classes C14 , C34 , C13
301 from
S16 \ A16 using direct sharing. By using Lemma 7 we obtain sharings
with 4 shares for all 4 × 4 S-boxes. Observe that the total length of the
4 and C 4 ) and also on
sharing depends on the class we use (C14 , C34 , C13
301
the class from the alternating group, which is used for the decomposition.
For example, class C74 can be decomposed using C14 with length 4 but with
4 it can be decomposed with length 3. Note also that the
classes C34 and C13
number of solutions differ. We have found 10, 31 and 49 solutions when
4 classes, correspondingly. Surprisingly for the classes
using C14 , C34 and C13
in the alternating group we have only slight improvement with 4 shares
compared to 3 shares and only a few classes in S16 \ A16 have direct
sharing with 4 shares. However with 5 shares all classes can be shared
directly without decomposition which is a big improvement compare to
the situation with 4 shares.
Table 2: Overview of the numbers of classes of 4 × 4 S-boxes that can
be decomposed and shared using 3 shares, 4 shares and 5 shares. The
numbers are split up according to the decomposition length of the Sboxes (1, 2, 3, or 4), respectively their shares.
unshared
3 shares
1 2 3 1 2 3 4
6
5 1
30
28 2
114
113 1
–
–
4 shares 5 shares
remark
1 2 3
1
6
6
quadratics
30
30
cubics in A16
114 114
cubics in A16
4 22 125 151 cubics in S16 \A16
An open question is why for all S-boxes the sharing with 4 shares does
not improve significantly the results compared to 3 shares and suddenly
with 5 shares we can share all classes with length 1.
Recall that for the Present S-box, decompositions S(x) = F (G(x))
have been found in [25]. The authors also made an observation that exactly 73 sharings out of the decompositions automatically satisfy the uniformity condition (i.e. without any correction terms). Recall that with the
direct sharing method without CT we (as well as the authors of [25]) were
able to share only 3 quadratic classes: Q44 , Q4294 and Q4299 . The Present
4 and has 7 simple solutions (see Table 12) but only
S-box belongs to C266
3 of them can be shared namely 294 × 299, 299 × 294, 299 × 299, which
explains the authors’ observation.
In Tables 7–10, the column Sharing describes the length of the found
sharings with 3 and with 4 shares, separated by a comma. Since all classes
can be shared with 5 shares with length 1 we omit this fact in these tables.
Recall that for the S-boxes in S16 \ A16 no solution with 3 shares exist
which is indicated in the table by a −. Note that the DES 6 × 4 S-boxes
can be considered as an affine 2 × 2 selection S-box with four 4 × 4 Sboxes attached. Since we have sharings for both 2 × 2 and 4 × 4 S-boxes
we conclude that we have sharings for the DES 6 × 4 S-boxes as well.
5
HW implementation of the sharings
In this section, our aim is to provide a fair comparison and prediction
what the cost (ratio of area to a NAND gate referred to as GE) will be
for a protected S-box in a specified library. For our investigations we used
the TSMC 0.18µm standard cell library in the Synopsis development tool.
Quadratic classes and cubic classes with length 1 form the basis to
all our implementations. Therefore, we concentrated our efforts on these
classes. While considering 3 × 3 S-boxes we synthesized 840 affine equivalent S-boxes for each class. However the number of S-boxes in a class
increases to more than 322560 as we move to 4 × 4 S-boxes. In that case,
we choose 1000 S-boxes per class to synthesize.
Table 3: S8 : Quadratic S-boxes sharing
3×3 S-boxes Sharing Original Unshared Shared
Length S-box Decomposed 3 shares
Class # in S8 (L)
L reg
L reg
Min
27.66
98.66
3
Q1
1
Max
29.66
121.66
Min
29.00
116.66
Q32
1
Max
29.66
155.00
Min
30.00
50.00
194.33
3
Q3
2
Max
32.00
51.00
201.00
Shared
4 shares
1 reg
138.00
150.00
174.00
226.66
140.00
194.33
Shared
5 shares
1 reg
148.00
185.66
180.00
220.33
167.00
228.66
In tables 3, 4 and 5 we show the implementation results for each class
only the S-box with the minimum GE from the result of our original Sbox synthesis (over the class), as well as the S-box with the maximum
GE. However, note that the Min and Max values should only be taken
as indications.
The area results listed in the column original S-box for an n × n S-box
include one n-bit register. If a decomposition is necessary for a correct,
non-complete and uniform sharing, then we included registers in between
Table 4: A16 : Quadratic S-boxes sharing
4×4 S-boxes Sharing Original Unshared Shared
Quadratic
Length S-box Decomposed 3 shares
Class # in S16 (L)
L reg
L reg
Min
37.33
121.33
4
Q4
1
Max
44.00
223.33
Min
36.66
139.33
Q412
1
Max
48.00
253.33
Min
39.33
165.33
4
Q293
1
Max
48.66
297.33
Min
40.00
141.33
4
Q294
1
Max
49.66
261.00
Min
40.33
174.33
4
Q299
1
Max
48.00
298.00
Min
33.66
58.00
207.33
4
Q300
2
Max
52.66
70.00
346.00
Shared
4 shares
1 reg
168.33
258.00
204.00
290.33
194.33
313.00
170.33
240.00
211.00
295.33
209.66
295.00
Shared
5 shares
1 reg
186.33
309.00
218.00
340.66
235.00
358.33
210.33
255.00
247.00
294.66
249.33
342.33
every pipelining operation as required [22] which increases the cost as
expected.
For classes with decomposition length more than 1, we randomly
choose a class representative i.e. an S-box. Then we implement the smallest amongst all possible decompositions of this S-box, namely the one
4 , C4 , C4 ,
which gives minimum GE. We saw that, classes Q33 , Q4300 , C150
151
130
4 , C4 , C4 , C4
4
C131
24
204
257 and C210 give relatively small results when implemented as 2 × 1, 12 × 4, 12 × 293, 293 × 12, 12 × 4 × 299, 299 × 12 × 4,
299 × 12 × 4 × 299, 3 × 294, 3 × 12 and 3 × 293 × 12 respectively. The
4 and C 4 differ significantly. Closer inspection reveals
area figures for C204
257
that this is due to the fact that their decompositions use different S-boxes
4
from C34 ; the S-box used in the decomposition of C204
is smaller than the
4
one in the decomposition of C257 .
6
Extensions
We present here two extensions to the basic approach.
6.1
Virtual variables and virtual shares
For some Boolean functions with two inputs there is no sharing with
3 shares satisfying the three requirements [19, 21]. For example, this is
the case with the multiplication of two variables. On the other hand,
Table 5: S16 : Cubic S-boxes sharing
4×4 S-boxes
Sharing Original Unshared Shared
Cubic
Length S-box Decomposed 3 shares
Class # in S16
(L, L0 )
L’ reg
L reg
4
C1 ∈ S16 \ A16 Min
39.66
–
1,1
Max
40.33
–
C34 ∈ S16 \ A16 Min
40.33
–
1,1
Max
43.00
–
4
C13
∈ S16 \ A16 Min
40.33
–
1,1
Max
41.33
–
4
C301
∈ S16 \ A16 Min
39.33
–
1,1
Max
59.33
–
4
C150
∈ A16
2,2
46.33
71.66
305.33
4
C151
∈ A16
2,2
47.33
69.66
286.00
4
C130
∈ A16
3,2
48.00
97.33
393.00
4
C131
∈ A16
3,2
50.00
99.00
386.00
4
C24
∈ A16
4,3
48.33
151.33
674.00
4
C204
∈ S16 \ A16
2,2
49.00
80.33
4
C257
∈ S16 \ A16
2,2
47.66
73.66
4
C210
∈ S16 \ A16
3,3
47.66
119.33
-
Shared
4 shares
L’ reg
213.66
378.00
230.33
413.66
260.00
423.00
289.33
526.33
430.66
410.00
375.66
363.33
616.66
413.00
486.00
602.00
Shared
5 shares
1 reg
273.66
464.66
286.33
500.66
319.00
502.66
350.33
605.66
414.33
390.00
442.66
435.66
734.66
501.33
594.00
695.33
sharings with 3 shares do exist for all quadratic Boolean functions with
3 inputs. This fact leads to an approach where we define extra input
variables, virtual variables for the function that we want to find a sharing
for. A virtual variable is hence an additional input to the function, whose
value doesn’t influence the output of the function. In the implementation
however, it must be ensured that the attacker can’t predict the value of
the virtual variable: it has to be random. Hence, the approach requires
additional randomness as input. For example, assume that we want to
construct a sharing for the function F (x, y) = xy. By adding a virtual
variable z, we can share F (x, y, z) = xy as follows [21]:
F1 = x2 y2 + x2 y3 + x3 y2 + x2 z2 + x3 z3 + y2 z2 + y3 z3
F2 = x3 y3 + x1 y3 + x3 y1 + x3 z3 + x1 z1 + y3 z3 + y1 z1
F3 = x1 y1 + x1 y2 + x2 y1 + x1 z1 + x2 z2 + y1 z1 + y2 z2 .
Without virtual variable, we can share the product of two variables if we
use 4 shares [19], hence in total 2 × 4 = 8 elements. With virtual variable,
we obtain 3 × 3 = 9 elements, which is in fact not an improvement.
Since z in the previous example F = xy was a virtual variable, its
shares z1 , z2 and z3 can be called virtual shares. Instead of introducing all
the 3 virtual shares, we can also introduce fewer of them. Since a virtual
share is not related to a ‘real’ input of the function, it doesn’t need to be
taken into account when we check the non-completeness of the sharing.
The previous example can be shared using only one virtual share:
F1 = x2 y2 + x2 y3 + x3 y2 + z
F2 = x3 y3 + x1 y3 + x3 y1 + x1 z + y1 z
F3 = x1 y1 + x1 y2 + x2 y1 + x1 z + y1 z + z.
In this sharing, we use only 7 elements.
6.2
Varying the number of shares
Until now we have considered the case when the inputs and the outputs
of a function have to be shared with the same number of shares, e.g.,
s. In fact, it is possible to generalize the approach, such that the inputs
are shared with si shares, the outputs (i.e., the function) with so shares
providing that si ≥ so holds. We will shortly illustrate this approach by
sharing the product xy, such that the input is shared with 4 shares and
the output with 3 shares.
F1 = (x2 + x3 + x4 )(y2 + y3 ) + y4
F2 = (x1 + x3 )(y1 + y4 ) + x1 y3 + x4
F3 = (x2 + x4 )(y1 + y4 ) + x1 y2 + x4 + y4 .
7
Conclusions
In this paper we have considered the threshold implementation method,
which is a method to construct implementations of cryptographic functions that are secure against a large class of side-channel attacks, even
when the hardware technology is not glitch-free.
We have analyzed which basic S-boxes can be securely implemented
using 3, 4 or 5 shares. We have constructed sharings for all 3 × 3, 4 × 4
S-boxes and 6 × 4 DES S-boxes. Thus we have extended the threshold
implementation method to secure implementations for any cryptographic
algorithm which uses these S-boxes. Note that the mixing layer in the
round function of a block cipher is a linear operation and thus it is trivially
shared even with 2 shares. Finally, we have implemented several of the
shared S-boxes in order to investigate the cost of the sharing as well as
the additional cost due to the pipelining stages separated by latches or
registers.
Table 6: Range for the ratio
area of the Shared with length L S-box
area of the Original S-box
3 shares
4 shares
5 shares remark
1
2
3
4
1
2
3
1
3.6–5.2 6.3–6.5
–
–
5.0–7.6
–
–
5.4–7.4
quadratics in S8
3.3–6.2 6.2–6.6
–
–
4.3–6.4
–
–
5.1–7.4
quadratics in S16
–
6.0–6.6 7.7–8.2 13.9
–
7.3–9.3 12.8 8.2–15.2 cubics in A16
–
–
–
– 5.4–10.2 8.4–10.2 12.6 10.2–14.6 cubics in S16 \A16
Our results summarized in Table 6 show that such secure implementation can also be made efficient. Note that we consider the cost of sharing
with L registers which is the total price for the sharing (since it includes
the sharing logic plus registers). Observe that the increase of the cost for
sharing with 3 shares of a quadratic S-box is similar for n = 3 and n = 4.
As expected, the longer length a sharing has, the more costly it becomes
(for 3 and 4 shares). It can be seen that sharings with 4 and 5 shares cost
up to 50% more than sharings with 3 shares. However, there are several
cases when using 4 or 5 shares reduces the cost by up to 30%, respectively
10%, compared to 3 shares with longer sharing length. For certain S-boxes
using 5 shares may be even beneficial compared to 4 shares (up to 4%)
but in general 5 shares are up to 30% more expensive than 4 shares.
An obvious conclusion is that the cost of the TI method heavily depends on the class the given S-box belongs to as well as the chosen number
of shares and the associated sharing length. Therefore, in order to minimize the implementation cost the number of shares have to be carefully
chosen. For all tested S-boxes we were able to find a sharing with cost
ranging from 3.3 till 12.8 times the area of the original S-box. However,
note that the area numbers are based on a few implementations from each
class. The ratios may change significantly if the smallest/biggest S-boxes
are found for every class.
8
Acknowledgement
We would like to thank Christophe De Cannière for the fruitful discussions
and for sharing with us his toolkit for affine equivalent classes.
This work has been supported in part by the Research Council K.U.Leuven:
GOA TENSE (GOA/11/007) and by the European Commission under
contract ICT-2007-216646 (ECRYPT II).
References
1. Akkar, M.L., Giraud, C.: “An Implementation of DES and AES, Secure against
Some Attacks,” CHES 2001, LNCS 2162, pp. 309–318.
2. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: “Keccak specifications,”
NIST SHA3 contest 2008.
3. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: “Building power analysis
resistant implementations of Keccak”, Round 3 finalist of the Cryptographic Hash
Algorithm Competition of NIST, 2010.
4. Blömer, J., Guajardo, J., Krummel, V.: “Provably Secure Masking of AES,” SAC
2004, LNCS 3357, pp. 69–83.
5. Boura, C., Canteaut, A.: “On the influence of the algebraic degree of F −1 on the
algebraic degree of G ◦ F ”, e-print archive 2011/503.
6. Carlet, C.,: “Vectorial Boolean Functions for Cryptography,” to appear.
7. De Cannière, C.: “Analysis and Design of Symmetric Encrytption Algorithms,”
Ph.D. thesis, 2007.
8. De Cannière, C., Nikov, V., Nikova, S., Rijmen, V.: “S-box decompositions for
SCA-resisting implementations,” poster session of CHES 2011.
9. Daemen, J., Vandewalle, J.: “A New Approach Towards Block Cipher Design,”
FSE 1993, LNCS, pp. 18–33.
10. Daemen, J., Peeters, M., Van Assche, G.: “Bitslice Ciphers and Power Analysis
Attacks,”, FSE 2000, LNCS, pp. 10–12.
11. Golic, J.D., Tymen, C.: “Multiplicative Masking and Power Analysis of AES,”
CHES 2002, LNCS 2523, pp. 198–212.
12. Ishai, Y., Sahai, A., Wagner, D.: “Private Circuits: Securing Hardware against
Probing Attacks,” CRYPTO 2003, LNCS 2729, pp. 463–481.
13. Knudsen, L.R., Leander, G., Poschmann, A., Robshaw, M.: “PRINTcipher: A
Block Cipher for IC-Printing”, CHES 2010, LNCS 6225, pp. 16–32.
14. Leander, G., Poschmann, A.:“On the classification of 4 bit s-boxes”, WAIFI 2007,
LNCS 4547, pp. 159-–176.
15. Lidl, R., Niederreiter, H.: “Finite Fields”, Encyclopedia of Mathematicsand its
Applications, vol. 20, Addison-Wesley, 1983.
16. Mangard, S., Pramstaller, N., Oswald, E.: “Successfully Attacking Masked AES
Hardware Implementations,” CHES 2005, LNCS 3659, pp. 157–171
17. Moradi, A., Mischke, O., Paar, C., Li, Y., Ohta, K., Sakiyama, K.: “On the Power
of Fault Sensitivity Analysis and Collision Side-Channel Attacks in a Combined
Setting,” CHES 2011, LNCS 6917, pp. 292–311.
18. Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.:“Pushing the Limits: A
Very Compact and a Threshold Implementation of AES”, Eurocrypt 2011, LNCS
6632, pp. 69–88.
19. Nikova, S., Rechberger, C., Rijmen, V.: “Threshold Implementations Against SideChannel Attacks and Glitches,” ICICS 2006, LNCS 4307, pp. 529–545.
20. Nikova, S., Rijmen, V., Schläffer, M.: “Using Normal Bases for Compact Hardware
Implementations of the AES S-Box,” SCN 2008, LNCS 5229, pp. 236–245.
21. Nikova, S., Rijmen, V., Schläffer, M.: “Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches,” ICISC 2008, LNCS 5461, pp. 218–234.
22. Nikova, S., Rijmen, V., Schläffer, M.: “Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches,” J. Cryptology 24 (2), pp. 292–321,
2011.
23. Oswald, E., Mangard, S., Pramstaller, N., Rijmen, V.: “A Side-Channel Analysis
Resistant Description of the AES S-Box,” FSE 2005, LNCS 3557, pp. 413–423.
24. Popp, T., Mangard, S.: “Masked Dual-Rail Pre-charge Logic: DPA-Resistance
Without Routing Constraints,” CHES 2005, LNCS 3659, pp. 172–186
25. Poschmann, A., Moradi, A., Khoo, K., Lim, C.W., Wang, H., Ling, S.: “SideChannel Resistant Crypto for less than 2,300 GE,” J. Cryptology 24 (2), pp. 322–
345, 2011.
26. Rivain, M., Prouff, E.: “Provably Secure Higher-Order Masking of AES,” CHES
2010, LNCS 6225, pp. 413-427, 2010.
27. Prouff, E., Roche, T.: “Higher-Order Glitches Free Implementation of the AES Using Secure Multi-party Computation Protocols,” CHES 2011, LNCS 6917, pp. 63–
78, 2011.
28. Rotman, J.:“ An introduction to the theory of groups,” Graduate texts in mathematics, Springer-Verlag, 1995.
29. Saarinen, M.-J. O.,: “Cryptographic analysis of all 4 × 4-bit s-boxes”, SAC 2011,
LNCS 7118, pp. 118–133, 2012.
30. Tiri, K., Verbauwhede, I.: “A Logic Level Design Methodology for a Secure DPA
Resistant ASIC or FPGA Implementation,” DATE 2004, IEEE Computer Society,
pp. 246–251.
31. Trichina, E., Korkishko, T., Lee, K.H.: “Small Size, Low Power, Side ChannelImmune AES Coprocessor: Design and Synthesis Results,” 4th AES Conference,
LNCS 3373, pp. 113–127, 2004.
32. Wernsdorf, R.: “The Round Functions of RIJNDAEL Generate the Alternating
Group,” FSE 2002, LNCS 2365, pp. 143–148.
A
Appendix - Tables
Table 7: The 4 classes of 3 × 3 S-boxes
Class
A30
Q31
Q32
Q33
Truth table Sharing
01234567
1,1
01234576
1,1
01234675
1,1
01243675
2,2
Table 8: The 302 classes of 4 × 4 S-boxes
Class
A40
C14
C24
C34
Q44
C54
C64
C74
C84
C94
4
C10
4
C11
Q412
4
C13
4
C14
4
C15
4
C16
4
C17
4
C18
4
C19
4
C20
4
C21
4
C22
4
C23
4
C24
4
C25
4
C26
4
C27
4
C28
4
C29
4
C30
4
C31
4
C32
4
C33
4
C34
4
C35
4
C36
4
C37
4
C38
4
C39
4
C40
4
C41
4
C42
4
C43
4
C44
Truth table
Sharing Class
4
0123456789ABCDEF 1,1
C45
4
0123456789ABCDFE -,1
C46
4
0123456789ABCEFD 3,3
C47
4
0123456789ABDEFC
-,1
C48
4
0123456789ABDCFE 1,1
C49
4
0123456789ACDBFE
-,2
C50
4
0123456789ACBDFE 3,3
C51
4
0123456789ACBEFD
-,3
C52
4
0123456789ACDEFB 3,3
C53
4
0123456789ACDEBF
-,3
C54
4
0123456789BCAEFD 3,3
C55
4
0123456789BCEFDA
-,2
C56
4
0123456789CDEFAB 1,1
C57
4
0123456789CDEFBA -,1
C58
4
0123456879CDEFBA 3,3
C59
4
012345687A9CBEFD -,3
C60
4
012345687A9CDFBE 3,3
C61
4
0123456879CDEFAB
-,2
C62
4
0123456879ACDBFE 3,3
C63
4
0123456879ACDFBE
-,3
C64
4
0123456879ACDEBF 3,3
C65
4
0123456879ACBDFE
-,3
C66
4
0123456879ACFEDB 3,3
C67
4
0123456879BCEFAD
-,3
C68
4
012345687A9CFBDE 4,3
C69
4
0123456879ABCEFD -,3
C70
4
0123456879BCDEFA 3,3
C71
4
012345687ABCDEF9 -,3
C72
4
0123456879BCEAFD 3,3
C73
4
012345687ABCEFD9 -,3
C74
4
012345687ABCE9FD -,3
C75
4
0123456879ACBEFD 3,3
C76
4
0123456879ACFBDE
-,3
C77
4
0123456879BCEFDA 3,3
C78
4
0123456879BCFEAD 3,3
C79
4
0123456879CEAFDB -,3
C80
4
0123456879CEAFBD 3,3
C81
4
0123456879ACDEFB
-,3
C82
4
0123456879ABDEFC 3,3
C83
4
012345768A9CBEFD -.3
C84
4
012345768A9CBFDE -,2
C85
4
012345768A9CBFED 3,3
C86
4
012345786ACBED9F
-,3
C87
4
012345786ABCF9DE 3,3
C88
4
012345786AC9BFED 3,3
C89
Truth table
Sharing Class
4
012345786A9CFBDE -,3
C90
4
012345786ABCDEF9 3,3
C91
4
012345786AC9DEBF
-,3
C92
4
012345786AC9EDFB
-,3
C93
4
012345786A9CDEBF 3,3
C94
4
012345786A9CFDBE 3,3
C95
4
012345786ABCDE9F -,3
C96
4
012345786ACBDE9F 3,3
C97
4
012345786ACBDFE9 3,3
C98
4
012345786A9BCEFD -,2
C99
4
012345786AB9CFDE 3,3
C100
4
012345786AC9BFDE
-,3
C101
4
012345786A9CBEFD 3,3
C102
4
012345786ACFDE9B
-,3
C103
4
012345786ACEDFB9
-,2
C104
4
012345786ACFB9DE 3,3
C105
4
012345786ACFDEB9 3,3
C106
4
012345786A9CBFED -,3
C107
4
012345786AC9DEFB 3,3
C108
4
012345786ABCED9F 3,3
C109
4
012345786A9CFDEB -,3
C110
4
012345786ACB9EFD 3,3
C111
4
012345786ACF9DBE 3,3
C112
4
0123457869ACDFEB
-,3
C113
4
0123457869ACDEBF
-,3
C114
4
012345786ACBF9ED 3,3
C115
4
012345786ACEBD9F 3,3
C116
4
012345786ACDF9EB
-,3
C117
4
012345786ACDF9BE 3,3
C118
4
012345786ACDE9FB 3,3
C119
4
012345786AC9FBED
-,3
C120
4
012345786ACEBFD9 3,3
C121
4
012345786A9CEFDB -,3
C122
4
0123457869ACBEDF 3,3
C123
4
0123457869ACBFDE
-,3
C124
4
0123457869ACBEFD
-,3
C125
4
0123457869ACEFDB 3,3
C126
4
0123457869ACEBDF
-,3
C127
4
0123457869ACEBFD 3,3
C128
4
012345786ACF9EBD
-,3
C129
4
012345786A9CEBDF 3,3
C130
4
012345786A9CFBED 3,3
C131
4
012345786ACD9EFB
-,3
C132
4
012345786ACD9FBE
-,2
C133
4
012345786ACD9EBF 3,3
C134
Truth table
Sharing
012345786ABCF9ED -,3
012345786ACFBD9E
-,3
012345786ABC9EDF 3,3
012345786ABC9EFD -,3
012345786ACED9FB
-,3
012345786A9CDFEB 3,3
012345786A9CEDFB 3,3
0123458A6BCEDF97 -,3
0123458A6BCF97ED -,3
0123458A6BC97FDE 3,3
0123458A6B9CF7ED -,3
0123458A6BCFED79 3,3
012345786A9CDBEF -,3
0123458A69C7DFEB 3,3
0123458A69C7FDBE 3,3
0123458A697CBEFD -,3
0123458A697CBFDE -,3
0123458A69CE7FDB 3,3
0123458A6C9FEB7D -,2
0123458A6CB9F7ED -,3
0123458A69CFD7BE 3,3
0123458A69BC7FDE 3,3
0123458A6C7EBFD9 -,3
0123458A6C7FBE9D -,3
012345786ACFBDE9 3,3
012345786ACBE9DF 3,3
0123458A6C9D7FBE -,2
0123458A6C9D7EFB -,3
0123458A6C9FDB7E 3,3
012345786ACB9FED
-,3
0123458A6C7EBDF9 3,3
0123458A6C7FBD9E 3,3
0123458A6BCE79FD -,3
0123458A69BCE7DF 3,3
0123458A69CEBDF7 3,3
0123458A69CB7EFD -,3
012345786AC9EDBF 3,3
012345786ABC9FED 3,3
0123458A6B9CDE7F -,2
0123458A6BC7F9ED -,3
0123458A6CBDE79F 3,2
0123458A6CE9BDF7 3,2
0123458A6CBD7E9F -,3
0123458A6C9FBD7E -,3
0123458A69C7DEBF 3,3
Table 9: The 302 classes of 4 × 4 S-boxes
Class
4
C135
4
C136
4
C137
4
C138
4
C139
4
C140
4
C141
4
C142
4
C143
4
C144
4
C145
4
C146
4
C147
4
C148
4
C149
4
C150
4
C151
4
C152
4
C153
4
C154
4
C155
4
C156
4
C157
4
C158
4
C159
4
C160
4
C161
4
C162
4
C163
4
C164
4
C165
4
C166
4
C167
4
C168
4
C169
4
C170
4
C171
4
C172
4
C173
4
C174
4
C175
4
C176
4
C177
4
C178
4
C179
Truth table
Sharing Class
4
0123458A69CDE7FB -,3
C180
4
0123458A69C7FBED 3,3
C181
4
0123458967CEAFBD -,3
C182
4
0123458967CEAFDB 3,3
C183
4
0123456879BCAEFD -,3
C184
4
012345687ABC9FDE 3,3
C185
4
0123458967CEBFDA
-,3
C186
4
012345786ACD9FEB 3,3
C187
4
0123458A69CFB7DE -,3
C188
4
0123458A69CFDEB7 -,3
C189
4
0123458A69BCF7ED 3,3
C190
4
0123458A69CB7FDE -,3
C191
4
012345786ABCFDE9 3,3
C192
4
012345786ABCE9FD 3,3
C193
4
012345786ABCFD9E -,3
C194
4
0123458A6BCFDE97 2,2
C195
4
0123458A6BCF97DE 2,2
C196
4
0123458A6BCF7E9D -,3
C197
4
0123458A6B9CEDF7 -,3
C198
4
0123467859CFBEAD 3,3
C199
4
0123467859CFEBDA 3,3
C200
4
0123458A69CFE7BD -,3
C201
4
0123458A69CEFB7D -,3
C202
4
0123458A6BCF7D9E 2,2
C203
4
0123458A6BCED79F 2,2
C204
4
0123468B59CED7AF -,3
C205
4
0123458A6B7CEDF9 3,3
C206
4
0123458A6B7CDFE9 3,3
C207
4
0123468C59BDE7AF -,3
C208
4
0123458A6B7C9FDE 3,3
C209
4
0123458A6B7C9EFD 3,3
C210
4
012345896ABCE7DF -,2
C211
4
0123458A67BC9EFD -,3
C212
4
0123458A6CBFE7D9 2,2
C213
4
012345786ACFB9ED
-,3
C214
4
012345786ACEB9DF
-,2
C215
4
0123458A6CBF7E9D 2,2
C216
4
0123458A6C9DBF7E 2,2
C217
4
012345786A9CBDFE -,3
C218
4
0123458A69CF7EBD 3,3
C219
4
012345786ACDE9BF
-,3
C220
4
0123457869ACFEBD 3,3
C221
4
0123457869BCEAFD -,3
C222
4
0123458A6C7DBFE9 3,3
C223
4
012345786A9CEDBF -,3
C224
Truth table
Sharing Class
4
0123458A6C9D7FEB 3,3
C225
4
012345896ABC7FDE -,3
C226
4
0123458A67BC9FDE -,3
C227
4
012345896ACF7BED 3,3
C228
4
0123458A67CF9BED 3,3
C229
4
012345896ACE7BFD
-,3
C230
4
0123458A67CF9BDE -,3
C231
4
012345786ACEFB9D 3,3
C232
4
012345786ACFEB9D
-,3
C233
4
0123457869CEFBDA 3,3
C234
4
0123458A6C7DBEF9 -,3
C235
4
0123458A6C7FB9DE -,3
C236
4
0123458A6C7FBED9 3,3
C237
4
0123458A6C7FDB9E -,3
C238
4
012345786ACFED9B 3,3
C239
4
0123458A6BC7DE9F -,3
C240
4
0123468C59BDEA7F 3,3
C241
4
0123458A6CBDE97F -,3
C242
4
0123458A69C7BEFD 3,3
C243
4
0123458A6BCFD9E7 -,2
C244
4
0123458A6BCFD79E -,3
C245
4
012345786ACB9FDE 3,3
C246
4
012345786ACE9DFB 3,3
C247
4
012345786ACF9BDE
-,3
C248
4
012345786ACE9BFD
-,2
C249
4
012345786ACDB9EF 3,3
C250
4
012345896ABCEDF7 -,3
C251
4
0123458A67BCEDF9 -,3
C252
4
0123458A69C7BFDE 3,3
C253
4
0123468B59CF7DAE
-,3
C254
4
0123468A5BCF7D9E -,3
C255
4
0123458A69CED7FB 3,3
C256
4
0123458A69BC7EFD 3,3
C257
4
012345896ABC7EFD -,2
C258
4
0123458A67CEB9FD 2,2
C259
4
012345896ACEB7FD 2,2
C260
4
0123457869CDEFBA -,2
C261
4
012345687ABC9EFD 3,3
C262
4
0123457869BCDEFA
-,3
C263
4
012345786ACF9BED 3,3
C264
4
0123468A59CFDE7B -,3
C265
4
0123457869CEAFDB 3,3
C266
4
0123467859CFEADB -,3
C267
4
0123468A5BCFDE79 2,2
C268
4
0123457869CEBFDA
-,3
C269
Truth table
Sharing
0123456879CEBFDA 3,3
012345786ABC9FDE -,3
012345786ACFD9BE
-,3
0123458A69BCEDF7 3,3
0123458A6C9DBFE7 -,3
0123458A6CEB7FD9 -,3
0123468B59CEDA7F 3,3
0123458A6C9FDBE7 -,3
0123458A67B9CFDE 2,2
012345896AB7CFDE 2,2
0123458A69B7CEFD -,3
0123458A6B97CFDE 2,2
0123458A69B7CFDE -,3
0123457689CEAFBD 2,2
0123457689CEAFDB -,3
012345768A9CDEFB 3,3
012345768A9CDEBF -,2
012345768A9CDFEB -,3
012345768ACF9BDE 2,2
012345768ACE9BFD 2,2
012345768ACF9BED
-,3
0123456879BAEFDC -,2
012345687AB9DEFC 3,3
0123456879CEFBDA
-,2
0123458A69CFEB7D 3,3
0123458A69CD7FEB -,3
0123458A69CEF7DB -,3
0123458A69CEFBD7 2,2
0123458A69CE7FBD -,3
0123458A69BCFD7E 3,3
012345786ABCEDF9 -,3
012345896ACF7BDE
-,3
012345896ABCFD7E -,2
012345896ACE7BDF 2,2
012345896ACEFDB7 2,2
012345896AB7CEFD 2,2
0123458A69CEB7FD -,3
0123458A6C7DB9FE 2,2
0123458A6BC7EDF9 -,3
0123458A6C7DFEB9 2,2
0123458A6BCDE9F7 -,3
0123468A5BCFED97 2,2
012345786ABCE9DF -,3
0123458A69CFBED7 3,3
0123458A69CEBFD7 -,3
Table 10: The 302 classes of 4 × 4 S-boxes
Class
4
C270
4
C271
4
C272
4
C273
4
C274
4
C275
4
C276
4
C277
4
C278
4
C279
4
C280
Truth table
Sharing Class
4
0123468B5C9DEA7F 3,3
C281
4
0123468B5C9DAFE7
-,3
C282
4
0123468B5CD79FAE
-,3
C283
4
0123458A6C7FEB9D 3,3
C284
4
0123458A6BCED97F -,3
C285
4
0123458A6CF7BE9D 3,3
C286
4
0123458A6CF7BD9E -,3
C287
4
0123458A6BC9DE7F 3,3
C288
4
0123468B5CD7AF9E 3,3
C289
4
0123458A6BC7DFE9 -,3
C290
4
0123457869ACEDBF 3,3
C291
Truth table
Sharing Class
4
0123457869ACFBDE 3,3
C292
0123468B5CD7F9EA -,3
Q4293
0123468B5C9DE7AF -,3
Q4294
4
0123458A6BCF9D7E -,3
C295
4
0123457869CEAFBD -,2
C296
4
0123458967CEFBDA 2,2
C297
4
012345768A9CDFBE 3,3
C298
0123456789CEFBDA 2,2
Q4299
0123456789CEBFDA
-,3
Q4300
4
0123456789BCEAFD -,3
C301
012345768A9BCFED -,3
Truth table
Sharing
012345768A9BCEFD 2,2
0123457689CDEFBA 1,1
0123456789BAEFDC 1,1
0123468C59DFA7BE
-,3
0123468A5BCF7E9D 2,2
0123468A5BCF79DE 2,2
012345687ACEB9FD
-,2
012345678ACEB9FD 1,1
0123458967CDEFAB 2,1
0123458967CDEFBA -,1
Table 11: Known S-boxes and their classes
Class
4
C39
4
C46
4
C59
4
C69
4
C74
4
C80
4
C85
4
C97
4
C108
4
C117
4
C120
4
C137
4
C139
4
C142
4
C145
4
C148
4
C153
4
C154
Cipher
DESL Row2, DESL Row3
DES7 Row3
DES7 Row1
DES3 Row1, DES7 Row0
DES6 Row1
DES8 Row2
DES1 Row0, DES1 Row1,
DES1 Row2, DES8 Row3
DES8 Row0
Twofish q1 t1
DES2 Row0, DES6 Row3
Twofish q0 t3
DES8 Row1
DES3 Row0, DES5 Row0
Twofish q1 t3
Gost K6
DES5 Row3
Twofish q1 t0
Gost K5
Class
4
C190
4
C197
4
C204
4
C206
4
C208
4
C209
4
C210
4
C220
4
C221
4
C223
4
C229
4
C231
4
C253
4
C254
4
C257
4
C266
4
C267
4
C270
Cipher
Twofish q0 t0
Lucifer S1
DES2 Row2, DES3 Row2, DESL Row1
Gost K7
Twofish q0 t1
Serpent4, Serpent5, HB2 S2
Clefia0, Twofish q0 t2, HB1 S0, HB2 S3
DES6 Row0
DES5 Row2
Noekeon, Luffa v1, Piccolo
Twofish q1 t2
JH S0, JH S1
Gost K3
DES5 Row1
DES3 Row3
Present, Serpent2, Serpent6, Luffa v2, Hamsi
Gost K4
Klein, KhazadP, KhazadQ,
Iceberg G0, Iceberg G1, Puffin
Gost K2
4
4
C160
Serpent3, Serpent7, Clefia2,
C275
Clefia3, HB1 S1, HB1 S3, HB2 S0
4
4
C163
Clefia1, HB1 S2, HB2 S1
C279
DES2 Row3, DES4 Row0, DES4 Row1,
DES4 Row2, DES4 Row3, DES7 Row2
4
4
C166
DES2 Row1, DESL Row0
C281
DES6 Row2
4
4
C172
Gost K1
C282
Inversion in GF (24 ), mCrypton S0,S1,S2,S3
4
4
C177 Gost K8
C296 Serpent1
4
4
C184
DES1 Row3
C297
Serpent0
4
C188
Lucifer S0
Table 12: Quadratic decomposition length 2
Class #
in A16
4
C130
4
C131
4
C150
4
C151
4
C158
4
C159
4
C168
4
C171
4
C172
4
C214
4
C215
4
C223
4
C233
4
C234
4
C236
4
C238
4
C243
4
C244
4
C252
4
C258
4
C259
4
C260
4
C262
4
C264
4
C266
4
C286
4
C288
4
C292
4
C296
4
C297
Quadratic Decomposition length 2:
# simple
quadratic × quadratic
solutions
300 × 299
1
299 × 300
1
12 × 293, 293 × 300, 300 × 12, 300 × 300
4
12 × 300, 293 × 12, 300 × 293, 300 × 300
4
299 × 293
1
293 × 299
1
12 × 300, 293 × 293, 300 × 12, 300 × 300
4
293 × 12, 293 × 300, 294 × 293, 294 × 300
4
12 × 293, 293 × 294, 300 × 293, 300 × 294
4
4 × 299, 12 × 12, 12 × 294, 12 × 299, 293 × 4, 293 × 12, 293 × 294, 293 × 299,
294 × 12, 294 × 294, 294 × 299, 300 × 4, 300 × 12, 300 × 294, 300 × 299
15
4 × 293, 4 × 300, 12 × 12, 12 × 293, 12 × 294, 12 × 300, 294 × 12, 294 × 293,
294 × 294, 294 × 300, 299 × 4, 299 × 12, 299 × 293, 299 × 294, 299 × 300
15
12 × 293, 293 × 293, 293 × 294, 294 × 293, 294 × 294, 299 × 12, 299 × 299
7
12 × 12, 293 × 293, 293 × 300, 294 × 12, 294 × 300, 299 × 12, 300 × 293,
300 × 300
8
12 × 12, 12 × 294, 12 × 299, 293 × 293, 293 × 300, 300 × 293, 300 × 294,
300 × 300
8
12 × 12, 293 × 293, 293 × 294, 293 × 300, 294 × 293, 294 × 294, 299 × 299,
300 × 293, 300 × 300
9
12 × 300, 293 × 293, 300 × 12, 300 × 300
4
4 × 293, 4 × 294, 12 × 4, 12 × 293, 12 × 294, 12 × 299, 293 × 12, 293 × 294,
294 × 4, 294 × 12, 294 × 293, 294 × 294, 299 × 4, 299 × 293, 299 × 294,
300 × 12, 300 × 294, 300 × 299
18
4 × 12, 4 × 294, 4 × 299, 12 × 293, 12 × 294, 12 × 300, 293 × 4, 293 × 12,
293 × 294, 293 × 300, 294 × 4, 294 × 12, 294 × 293, 294 × 294, 294 × 299,
294 × 300, 299 × 12, 299 × 300
18
299 × 300, 300 × 299
2
4 × 12, 4 × 300, 12 × 4, 12 × 12, 12 × 293, 12 × 294, 12 × 299, 12 × 300,
293 × 12, 293 × 294, 293 × 299, 294 × 12, 294 × 293, 294 × 299, 294 × 300,
299 × 12, 299 × 293, 299 × 294, 299 × 300, 300 × 4, 300 × 12, 300 × 294,
300 × 299
23
4 × 12, 4 × 300, 12 × 12, 12 × 293, 12 × 294, 12 × 299, 12 × 300, 293 × 4,
293 × 12, 293 × 294, 293 × 299, 294 × 4, 294 × 12, 294 × 293, 294 × 294,
294 × 300, 299 × 12, 299 × 293, 299 × 294, 299 × 300, 300 × 12, 300 × 294,
300 × 299
23
4 × 293, 4 × 294, 12 × 4, 12 × 12, 12 × 293, 12 × 294, 12 × 299, 12 × 300,
293 × 12, 293 × 294, 293 × 299, 294 × 12, 294 × 293, 294 × 294, 294 × 299,
294 × 299, 299 × 12, 299 × 293, 299 × 300, 300 × 4, 300 × 12, 300 × 294,
300 × 299
23
12 × 299, 294 × 299, 299 × 12, 299 × 294
4
12 × 294, 293 × 293, 293 × 300, 294 × 12, 294 × 300, 299 × 299, 300 × 293,
300 × 294
8
12 × 12, 293 × 300, 294 × 299, 299 × 294, 299 × 299, 300 × 293, 300 × 300
7
12 × 293, 12 × 300, 293 × 12, 293 × 300, 300 × 12, 300 × 293, 300 × 300
7
12 × 12, 293 × 300, 300 × 293, 300 × 300
4
4 × 4, 4 × 12, 4 × 294, 12 × 4, 12 × 12, 12 × 293, 12 × 294, 12 × 300, 293 × 12,
293 × 294, 293 × 299, 294 × 4, 294 × 12, 294 × 293, 294 × 294, 294 × 299,
294 × 300, 299 × 293, 299 × 294, 299 × 300, 300 × 12, 300 × 294, 300 × 299
23
12 × 299, 293 × 293, 293 × 300, 294 × 12, 294 × 300, 299 × 294, 299 × 299
7
12 × 294, 293 × 293, 294 × 299, 299 × 12, 299 × 299, 300 × 293, 300 × 294
7
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising