Threshold Implementations of all 3 × 3 and 4 × 4 S-boxes Begul Bilgin1,3 , Svetla Nikova1 , Ventzislav Nikov4 , Vincent Rijmen1,2 , and Georg Stütz2 1 Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC and IBBT, Belgium 2 Graz University of Technology, IAIK, Austria 3 University of Twente, EEMCS-DIES, The Netherlands 4 NXP Semiconductors, Belgium Abstract. Side-channel attacks have proven many hardware implementations of cryptographic algorithms to be vulnerable. A recently proposed masking method, based on secret sharing and multi-party computation methods, introduces a set of sufficient requirements for implementations to be provably resistant against first-order DPA with minimal assumptions on the hardware. The original paper doesn’t describe how to construct the Boolean functions that are to be used in the implementation. In this paper, we derive the functions for all invertible 3×3, 4×4 S-boxes and the 6 × 4 DES S-boxes. Our methods and observations can also be used to accelerate the search for sharings of larger (e.g. 8 × 8) S-boxes. Finally, we investigate the cost of such protection. Keywords: DPA, masking, glitches, sharing, nonlinear functions, S-box, decomposition 1 Introduction Side-channel analysis exploits the information leaked during the computation of a cryptographic algorithm. The most common technique is to analyze the power consumption of a cryptographic device using differential power analysis (DPA). This side-channel attack exploits the correlation between the instantaneous power consumption of a device and the intermediate results of a cryptographic algorithm. Several countermeasures against side-channel attacks have been proposed. Circuit design approaches [30] try to balance the power consumption of different data values. Another method is to randomize the intermediate values of an algorithm by masking them. This can be done at the algorithm level [1, 4, 11, 23], at the gate level [12, 26, 31] or even in combination with circuit design approaches [24]. Many of these approaches result in very secure software implementations. However, it has been shown that hardware implementations are much more difficult to protect against DPA [16]. The problem of most of these masking approaches is that they underestimate the amount of information that is leaked by hardware, for instance during glitches or other transient effects. The security proofs are based on an idealized hardware model, resulting in requirements on the hardware that are very expensive to meet in practice. The main advantages of the threshold implementation approach are that it provides provable security against first-order DPA attacks with minimal assumptions on the hardware technology, in particular, it is also secure in the presence of glitches, and that the method allows to construct realistic-size circuits [19, 21, 22]. 1.1 Organization and contributions of this paper The remainder of this paper is organized as follows. In Section 2 we introduce the notation and provide some background material. Section 2.6 contains our first contribution: a classification of S-boxes which simplifies the task to find implementations for all S-boxes. In Section 3 we present our second contribution: a method to decompose permutations as a composition of quadratic ones. We prove that all 4-bit S-boxes in the alternating group can be decomposed in this way. We extend the sharing method in Section 4 and show that all 3 × 3, 4 × 4 and DES 6 × 4 S-boxes can be shared with minimum 3 and/or 4 shares. We investigate the cost of an HW implementation of the shared S-boxes in Section 5. We present some ideas for further improvements in Section 6 Finally, we conclude in Section 7. 2 Preliminaries We consider n-bit permutations sometimes defined over a vector space F2n or over a finite field GF (2n ). The degree of such a permutation F is the algebraic degree of the (n, n) vectorial Boolean function [5] or also called n-bit S-box. Any such function F (x) can be considered as an n-tuple of Boolean functions (f1 (x), . . . , fn (x)) called the coordinate functions of F (x). 2.1 Threshold implementations Threshold implementations (TI), are a kind of side-channel attack countermeasures, based on secret sharing schemes and techniques from multiparty computation. The approach can be summarized as follows. Split P a variable x into s additive shares xi with x = i xi and denote the vector of the s shares xi by x = (x1 , x2 , . . . , xs ). In order to implement a function a = F (x, y, z, . . . ) from F2m to F2n , the TI method requires a sharing, i.e. a set of s functions Fi which together compute the output(s) of F . A sharing needs to satisfy three properties: P Correctness:Pa = F (x,P y, z, . . . ) =P i Fi (x, y, z, . . . ) for all x, y, z, . . . satisfying i xi = x, i yi = y, i zi = z, . . . Non-completeness: Every function is independent of at least one share of the input variables x, y, z. This is often translated to “Fi should be independent of xi , yi , zi , . . . .” P Uniformity (balancedness): For all (a1 , a2 , . . . , as ) satisfying i ai = a, the number of tuples (x, y, z, . . . ) ∈ F ms for which Fj (x, y, z, . . . ) = aj , 1 ≤ j ≤ s, is equal to 2(s−1)(m−n) times the number of (x, y, z, . . . ) ∈ F m for which a = F (x, y, z, . . . ). Hence, if F is a permutation on F m , then the functions Fi define together a permutation on F ms . In other words, the sharing preserves the output distribution. This approach results in combinational logic with the following properties. Firstly, since each Fi is completely independent of the unmasked values, also the subcircuits implementing them are, even in the presence of glitches. Because of the linearity of the expectation operator, the same holds true for the average power consumption of the whole circuit, or any linear combination of the power consumptions of the subcircuits. This implies perfect resistance against all first-order side-channel attacks [22]. The approach was recently extended and applied to Noekeon [22], Keccak [3], Present [25] and AES [18]. Whereas it is easy to construct for any function a sharing satisfying the first two properties, the uniformity property poses more problems. Hence reasonable questions to ask are: which functions (S-boxes) can be shared with this approach, how many shares are required and how can we construct such sharing? A similar approach was followed in [27], where Shamir’s secret sharing scheme is used to construct hardware secure against dth-order sidechannel attacks in the presence of glitches. Instead of constructing dedicated functions Fi , they propose a general method which replaces every field multiplication by 4d3 field multiplications and 4d3 additions, using 2d2 bytes of randomness. While the method is applicable everywhere, in principle, there are cases where it may prove too costly. 2.2 Decomposition as a tool to facilitate sharing In order to share a nonlinear function (S-box) with algebraic degree d, at least d+1 shares are needed [19, Theorem 1]. Several examples of functions shared with 3 shares, namely quadratic Boolean function of two and three variables, multiplication on the extension field GF (22m )/GF (2m ) (e.g. multiplication in GF (4)), and the Noekeon S-box have been provided [19, 21, 22]. A realization of the inversion in GF (16) with 5 shares was given in [19]. Since the area requirements of an implementation increase with the number of shares, it is desirable to keep the number of shares as low as possible. The block ciphers Noekeon and Present have been designed for compact hardware implementations. They have S-boxes, which are not very complex 4 × 4 cubic permutations. Realizations for these two block ciphers have been presented for Noekeon in [21, 22] and in [25] for Present. In order to decrease the algebraic degree of the functions for which sharings need to be found, these three realizations decompose the S-box into two parts. For the Present S-box, decompositions S(x) = F (G(x)) with G(0) = 0 have been found [25] where F (x) and G(x) are quadratic permutations. By varying the constant term G(0) the authors found all possible decompositions of S(X) = F (G(X)). Both S-boxes F (x), G(x) have been shared with three shares (F1 , F2 , F3 ) and (G1 , G2 , G3 ) that are correct, non-complete and uniform. Figure 1 illustrates this approach. Fig. 1: Decomposition approach When the AES S-box (with algebraic degree seven) is presented using the tower field approach, the only nonlinear operation is the multiplication in GF (4), which is a quadratic mapping [18]. This observation has lead to a TI for AES with 3 shares. In order to guarantee the uniformity, resharing (also called re-masking) has been used four times. Re-sharing is a technique where fresh uniform and random masks/shares are added inside a pipeline stage in order to make the shares follow an uniform distribution again. A novel fault attack technique against several AES cores including one claimed to be protected with TI method has been proposed in [17]. But as the authors pointed out, contrary to the AES TI implementation in [18], their targeted core has been made without satisfying the noncompleteness and uniformity properties by “sharing” the AND gates with 4 shares formula from [18,19]. Since the used method does not satisfy the TI properties it should not be called a TI implementation of AES. In addition, the TI method was never claimed to provide protection against fault attacks. 2.3 Equivalence classes for n = 2, 3, 4 Definition 1. [7] Two S-boxes S1 (x) and S2 (x) are affine/linear equivalent if there exists a pair of invertible affine/linear permutation A(x) and B(x), such that S1 = B ◦ S2 ◦ A. Every invertible affine permutation A(x) can be written as A · x + a with a an n-bit constant and A an n×n matrix which is invertible over GF (2). It follows that there are n 2 × n−1 Y (2n − 2i ) (1) i=0 different invertible affine permutations. The relation “being affine equivalent” can be used to define equivalence classes. We now investigate the number of classes of invertible n × n S-boxes for n = 2, 3, 4. Note that the algebraic degree is affine invariant, hence all S-boxes in a class have the same algebraic degree. It is well known that all invertible 2 × 2 S-boxes are affine, hence there is only one class. The set of invertible 3×3 S-boxes contains 4 equivalence classes [7]: 3 classes containing quadratic functions, and one class containing the affine functions. Table 7 in the Appendix lists a representative of each class. The maximal algebraic degree of a balanced 4-variable Boolean function is 3 [6, 15]. De Cannière uses an algorithm to search for the affine equivalent classes which guesses the affine permutation A for as few input points as possible, and then uses the linearity of A and B to follow the implications of these guesses as far as possible. This search is accelerated by applying the next observation, which follows from linear algebra arguments (change of basis): Lemma 1 ([14]). Let S be an n×n bijection. Then S is affine equivalent to an S-box S̃ with S̃(0) = 0, S̃(1) = 1, S̃(2) = 2, . . . , S̃(2n−1 ) = 2n−1 . In the case n = 4, this observation reduces the search space from 16! ≈ 244 to 11! ≈ 225 . De Cannière lists the 302 equivalence classes for the 4 × 4 bijections [7]: the class of affine functions, 6 classes containing quadratic functions and the remaining 295 classes containing cubic functions. 1 The classes are listed in Tables 8–10 in the Appendix. The numbering of the classes is derived from the lexicographical ordering of the truth tables of the Sboxes. In order to increase readability, we introduce the following notation Ani , Qnj , Ckn to denote the Affine class number i, Quadratic class number j and Cubic class number k of permutations of F2n . 2.4 Order of a permutation All bijections from a set X to itself (also called permutations) form the symmetric group on X denoted by SX . A transposition is a permutation which exchanges two elements and keeps all others fixed. A classical theorem states that every permutation can be written as a product of transpositions [28], and although the representation of a permutation as a product of transpositions is not unique, the number of transpositions needed to represent a given permutation is either always even or always odd. The set of all even permutations form a normal subgroup of SX , which is called the alternating group on X and denoted by AX . The alternating group contains half of the elements of SX . Instead of AX and SX , we will write here An and Sn , where n is the size of the set X. 2.5 Known S-boxes and their classes There are only few cryptographically significant 3 × 3 S-boxes: the Inversion in GF (23 ), the PRINTcipher [13], the Threeway [9] and the Baseking [10] S-boxes. They all belong to Class 3. There are many cryptographically significant 4 × 4 S-boxes. Table 11 in the Appendix lists some of them and the class to which they belong. 2.6 The inverse S-box Note that S −1 , the inverse S-box, is not necessarily affine equivalent to S and in this case may not have the same algebraic degree. We know 1 Independent of [7, 14], Saarinen classified the 4 × 4 S-boxes using a different equivalence relation [29]. however, that the inverse of an affine permutation is always an affine permutation. In the case of 3 × 3 S-boxes it follows that the inverse of a quadratic permutation is again a quadratic permutation. Moreover, it can be shown that the 3 quadratic classes in S8 are self-inverse, i.e. S −1 belongs to the same class as S. In the case n = 4, we can apply the following lemma. Lemma 2 ([5]). Let F be a permutation of GF (2n ), then deg(F −1 ) = n − 1 if and only if deg(F ) = n − 1. Since the inverse of an affine S-box is affine, and, when n = 4, the inverse of a cubic S-box is cubic, it follows that in this case the inverse of a quadratic S-box is quadratic. The Keccak S-box (n = 5) [2] is as an example where the algebraic degree of the inverse S-box (3) is different from the algebraic degree of the S-box itself (2). We have observed that there are 172 self-inverse classes in S16 . The remaining 130 classes form 65 pairs, i.e., any S-box S of the first class has an inverse S-box S −1 in the second class (and vice versa). Table 1 gives the list of the pairs of inverse classes. Table 1: Pairs of inverse classes 65 pairs of inverse classes; the remaining 172 classes are self-inverse 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 (C29 ,C30 ),(C33 ,C34 ),(C39 ,C40 ),(C43 ,C44 ), (C47 ,C48 ),(C49 ,C50 ),(C52 ,C53 ),(C58 ,C59 ), (C60 ,C61 ), 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 (C63 ,C64 ),(C66 ,C67 ),(C68 ,C69 ),(C70 ,C71 ), (C73 ,C74 ),(C79 ,C80 ),(C85 ,C86 ),(C87 ,C88 ), (C90 ,C91 ), 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 (C93 ,C94 ),(C95 ,C96 ),(C97 ,C98 ),(C103 ,C104 ), (C105 ,C106 ),(C108 ,C109 ),(C110 ,C111 ), (C112 ,C113 ), 4 4 4 4 4 4 4 4 4 4 4 4 4 4 (C114 ,C115 ),(C116 ,C117 ), (C120 ,C121 ), (C123 ,C124 ),(C126 ,C127 ),(C128 ,C129 ), (C130 ,C131 ), 4 4 4 4 4 4 4 4 4 4 4 4 4 4 (C132 ,C133 ),(C143 ,C144 ),(C147 ,C148 ), (C150 ,C151 ),(C152 ,C153 ),(C154 ,C155 ), (C156 ,C157 ), 4 4 4 4 4 4 4 4 4 4 4 4 4 4 (C158 ,C159 ),(C161 ,C162 ),(C164 ,C165 ), (C166 ,C167 ),(C169 ,C170 ),(C171 ,C172 ), (C181 ,C182 ), 4 4 4 4 4 4 4 4 4 4 4 4 4 4 (C183 ,C184 ),(C185 ,C186 ),(C190 ,C191 ), (C199 ,C200 ),(C201 ,C202 ),(C203 ,C204 ), (C206 ,C207 ), 4 4 4 4 4 4 4 4 4 4 4 4 4 4 (C209 ,C210 ),(C211 ,C212 ),(C214 ,C215 ), (C226 ,C227 ),(C229 ,C230 ),(C233 ,C234 ), (C241 ,C242 ), 4 4 4 4 4 4 4 4 (C243 ,C244 ),(C256 ,C257 ),(C259 ,C260 ), (C296 ,C297 ). 3 Decomposition of 4 × 4 S-boxes In this section we consider all 4 × 4 bijections, and investigate when a cubic bijection from S16 can be decomposed as a composition of quadratic bijections. We will refer to the minimum number of quadratic bijections in such a decomposition as decomposition length. Recall that the Noekeon S-box is cubic but defined as a composition of two quadratic S-boxes in F24 : S(x) = S2 (S1 (x)). Similarly the Present S-box is cubic but has also been shown to be decomposable in two quadratic S-boxes. Lemma 3. If an S-box S can be decomposed into a sequence of t quadratic S-boxes, then all S-boxes which are affine equivalent to S can be decomposed into a sequence of t quadratic S-boxes. Proof. Let S be a cubic permutation which can be decomposed as a composition of quadratic bijections Q1 ◦ Q2 ◦ . . . ◦ Qt−1 ◦ Qt with length t. Let W be an S-box which is affine equivalent to S. By definition, there exist affine permutations A and B s.t. W = B ◦ S ◦ A. Therefore W = B ◦Q1 ◦Q2 ◦. . .◦Qt−1 ◦Qt ◦A, now by defining two quadratic permutations Q01 = B ◦ Q1 and Q0t = Qt ◦ A we obtain that W = Q01 ◦ Q2 ◦ . . . ◦ Qt−1 ◦ Q0t has a decomposition with quadratic permutations and that its length is t. t u Lemma 4 ([32]). For all n, the n × n affine bijections are in the alternating group. Lemma 5. All 4 × 4 quadratic S-boxes belong to the alternating group A16 . Proof. Since all invertible affine transformations are in the alternating group (the previous Lemma), two S-boxes which are affine equivalent, are either both even or both odd. We have taken one representative of each of the 6 quadratic classes Q4i for i ∈ {4, 12, 293, 294, 299, 300} [7] and have verified that their parities are even. t u Now we investigate which permutations we can generate by combining the affine and the quadratic permutations. We start with the following lemma. Lemma 6. Let Qi be 6 arbitrarily selected representatives of the 6 quadratic classes Q4i . (Hence i ∈ {4, 12, 293, 294, 299, 300}.) Then all cubic permutations S that have decomposition length 2, are affine equivalent to one of the cubic permutation that can be written as S̃i×j = Qi ◦ A ◦ Qj , (2) where A is an invertible affine permutation and i, j ∈ {4, 12, 293, 294, 299, 300}. Proof. Assume that S = Qa ◦ Qb . Then we know that there are invertible affine maps Aa , Ba , Ab , Bb such that S = (Ba ◦ Qi ◦ Aa ) ◦ (Bb ◦ Qj ◦ Ab ), where Qi , Qj are two of the representatives defined above. We choose A = Aa ◦ Bb and S̃i×j = Ba −1 ◦ S ◦ Ab −1 . t u It follows that we can construct all cubic classes of decomposition length 2 by running through the 36 possibilities of i×j and the 322560 invertible affine transformations in (2). This approach produces 30 cubic classes. In the remainder, we will denote the S-boxes S̃i×j by i × j and refer to them as the simple solutions. Table 12 in the Appendix lists the simple solutions for all 30 decompositions with length 2. Note that if Qi ◦A◦Qj = S, i.e. S −1 −1 −1 can be decomposed as a product of i×j, then Q−1 j ◦A ◦Qi = S . Since for n = 4 all quadratics are affine equivalent to their inverse, it follows that S −1 is decomposed as a product of j × i. Thus any self-inverse class has decomposition i × j and j × i as well. For the pairs of inverse classes we conclude that if i × j belongs to the first class then j × i belongs to the second class. To obtain all decompositions with length 3 we use similar approach as for length 2 but the first permutation Qi is cubic (instead of quadratic) and belongs to the already found list of cubic classes decomposable with length 2. It turns out that we can generate in this way the 114 remaining elements of A16 . Summarizing, we can prove the following Theorem and Lemma (stated without proof in [8]). Theorem 1. A 4 × 4 bijection can be decomposed using quadratic bijections if and only if it belongs to the alternating group A16 (151 classes). Proof. (⇒) Let S be a bijection which can be decomposed with quadratic permutations say Q1 ◦ Q2 ◦ . . . ◦ Qt . Since all Qi ∈ A16 (Lemma 5) and the alternating group is closed it follows that S ∈ A16 . (⇐) Lemma 3, Lemma 6 and the discussion following it imply that we can generate all elements of the alternating group using quadratic permutations. t u The left-hand-side columns of Table 2 list the decompositions of all 4×4 Sboxes. Theorem 1 implies that the classes which are not in the alternative group i.e. in S16 \ A16 , can’t be decomposed as a product of quadratic classes. Now we make the following simple observation: Lemma 7. Let S̃ be a fixed permutation in S16 \ A16 then any cubic permutation from S16 \ A16 can be presented as a product of S̃ and a permutation from A16 . Proof. By definition, all permutations in S16 \ A16 are odd permutations, and if S̃ ∈ S16 \ A16 , then S̃ −1 ∈ S16 \ A16 . Since the product of two odd permutations is even, we have: ∀S ∈ S16 \ A16 : S ◦ S̃ −1 ∈ A16 . It follows that ∃T ∈ A16 : S ◦ S̃ −1 = T , i.e. S = T ◦ S̃. t u 4 Sharing with 3, 4 and 5 shares In this section we focus first on the permutations which can be shared with 3 shares, i.e. all S-boxes in F23 and half of the S-boxes in F24 . Next we focus on those functions that can be shared with 4 shares, i.e. the other half of the S-boxes in F24 . Then, we will show how to share all of these S-boxes in F24 with 5 shares without need of a decomposition. 4.1 A basic result Theorem 2. If we have a sharing for a representative of a class, then we can derive a sharing for all S-boxes from the same class. Proof. Let S be an n × n S-box which has a uniform, non-complete and correct sharing S̄ using s shares Si . Denote the input vector of S by x, and the shares by xi . Each Si contains n coordinate shared functions depending on at most (s − 1) of the xi , such that the noncompleteness property is satisfied. We denote by xi the vector containing the s − 1 inputs of Si . We now construct a uniform, non-complete and correct sharing for any S-box S̃ which is affine equivalent to S. By definition, there exist two n × n invertible affine permutations A and B s.t. S̃ = B ◦ S ◦ A. In order to lighten notation, we give the proof for the case that A and B are linear permutations. We define Ā, B̄ as the ns × ns permutations that apply A, respectively B, to each of the shares separately: Ā(x1 , x2 , . . . xs ) = (A(x1 ), A(x2 ), . . . A(xs )), B̄(x1 , x2 , . . . xs ) = (B(x1 ), B(x2 ), . . . B(xs )). Denote yi = A(xi ), 1 ≤ i ≤ s and define yi as the vector containing the s− 1 shares yi that we need to compute Si . Consider S̄(Ā(x1 , x2 , . . . , xs )) = (S1 (y1 ), S2 (y2 ), . . . Ss (ys )). By slight abuse of notation we can write yi = Ā(xi ) and see that the noncompleteness of the S̄i is preserved in S̄ ◦ Ā. Since Ā is a permutation, it preserves the uniformity of the input and since S̄ is uniform so will be the composition S̄ ◦ Ā. The correctness follows from the fact that S̄ is a correct sharing and that y1 +y2 +· · ·+ys = A(x1 )+A(x2 )+· · ·+A(xs ) = A(x1 +x2 +. . . xs ) = A(x). Consider now B̄(S̄(A(x))) = (B(S1 (y1 )), B(S2 (y2 )), . . . , B(Ss (ys ))). Since B̄ is a permutation, it preserves uniformity of the output and since S̄ is uniform, the composition B̄ ◦ S̄ is uniform. The composition is noncomplete since the S̄i are non-complete and B̄ doesn’t combine different shares. Correctness follows from the fact that S̄ is a correct sharing and hence B(S1 (y1 )) +B(S2 (y2 )) + · · · + B(Ss (ys )) = B(S1 (y1 ) +S2 (y2 ) + · · · + Ss (ys )) = B(S(A(x))). 4.2 t u Direct sharing The most difficult property to be satisfied when the function is shared is the uniformity. Assume that we want to construct a sharing for the function F (x, y, z) with 3 shares. Then it is easy to produce a sharing which satisfies the correctness and the non-completeness requirements and is rotation symmetric, by means of a method that we call the direct sharing method, and that we now describe. First, we replace every input variable by the sum of 3 shares. The correctness is satisfied if we ensure that F1 + F2 + F3 = F (x1 + x2 + x3 , y1 + y2 + y3 , z1 + z2 + z3 ). In order to satisfy non-completeness, we have to divide the terms of the right hand side over the three Fj in such a way that Fj doesn’t contain a term in xj . We achieve this by assigning the linear terms containing an index j to Fj−1 , the quadratic terms containing indices j and j + 1 to Fj−1 and the quadratic terms containing indices j only to Fj−1 . For example, F (x, y, z) = x + yz, gives: F1 = x2 + z2 y2 + z2 y3 + z3 y2 F2 = x3 + z3 y3 + z3 y1 + z1 y3 F3 = x1 + z1 y1 + z1 y2 + z2 y1 . Note that the uniformity of sharing produced in this way is not guaranteed. It has to be verified separately. The method can easily be generalized for larger number of shares. Direct sharing has been used in [25] for the decomposition of the quadratic permutations F and G of the Present S-box S and similarly for Noekeon [22], Keccak [3]. With the direct sharing method we were able to find sharings respecting the uniformity condition for all 1344 permutations of Q31 , but none of Q32 and Q33 . We were also able to find sharings for all 322560 permutations of Q44 , Q4294 and Q4299 , but none of Q412 , Q4293 and Q4300 . So, unfortunately half of the quadratic S-boxes can’t be shared directly with length 1 but we still can find a sharing with length 2 by decomposing them as a composition of the already shared quadratic S-boxes. Thus, if we use only direct sharing we will be able to find sharings for all S-boxes in the alternating group but at the cost of longer path. 4.3 Correction terms Since direct sharing not always results in an uniform sharing the use of correction terms (CT) has been proposed [19, 21]. Correction terms are terms that can be added in pairs to more than one share such that they satisfy the non-completeness rule. Since the terms in a pair cancel each other, the sharing still satisfies the correctness. By varying the CT one can obtain all possible sharings of a given function. Consider a Boolean quadratic function with m variables (1 output bit), which we want to share with 3 shares. Note that the only terms which can be used as CT are xi or xi yi (or higher degree) for i = 1, 2, 3. Indeed terms like xi yj for i 6= j can’t be used in the i-th and j-th share of the function because of the non-completeness rule and therefore such a term can be used in only 1 share, hence it can’t be used as a CT. Thus counting only the linear and quadratic CT and ignoring the constant terms, which will not influence the uniformity, for a quadratic function with m variables we obtain that there are 3(m+ m 2 ) CT. Taking ) 3(m+(m 2 ) sharings. into account all possible positions for the CT we get 2 For example, for a quadratic function of 3 variables there are 218 possible CT and therefore for a 3 × 3 S-boxes the search space will be 254 . This makes the exhaustive search (to find a single good solution) over all CT unpractical, even for small S-boxes. For sharing with 4 shares even more terms can be used as CT. 4.4 A link between the 3 × 3 S-boxes and some quadratic 4 × 4 S-boxes Lemma 8. There is a transformation which expands Q31 , Q32 and Q33 into Q44 , Q412 and Q4300 correspondingly. Proof. Starting from a 3 × 3 S-box S and adding a new variable we can obtain a 4 × 4 S-box S̃. Namely, the transformation is defined as follows: let S(w, v, u) = (y1, y2, y3) and define S̃(x, w, v, u) = (y1, y2, y3, x). It is easy to check that this transformation maps the first 3 classes into the other 3 classes. t u The relation from Lemma 8 explains why if we have a sharing for a class in F23 we also obtain a sharing for the corresponding class in F24 and vice versa, i.e., if we can’t share a class the corresponding class also can’t be shared. The results we have obtained with 3 shares are summarized in Table 2 (middle columns). Recall that if we use only direct sharing we will be able to share with 3 shares all S-boxes in the alternating group but at the cost of longer path than the one obtained by decomposition. However using CT we found sharing for classes: Q31 , Q32 , Q44 , Q412 , Q4293 , Q4294 and Q4299 . So all quadratic classes except Q33 and Q4300 can be shared with 3 shares and without decomposition. We want to pose an open question: find sharing without decomposition to classes Q33 and Q4300 or show why they can’t be shared with 3 shares in that way. 4.5 Sharing using decomposition As an alternative to the search through a set of correction terms, we can also construct sharings after using decomposition: we try to decompose S-boxes into S-boxes for which we already have sharings. This decomposition problem is more restrained than the basic problem discussed in Section 3 for sharing with 3 shares, since we can use only the quadratic S-boxes for which we already have a sharing. It turns out that this extra requirement sometimes increases the decomposition length by one. For example, decomposition for Q33 is 1 × 2 and 2 × 1, i.e., we obtain a sharing for Q33 at the cost of length 2 (instead of length 1). Similarly Q4300 can be decomposed as 4×12, 4×293, 12×4, 12×294, 293×4, 293×294, 294×12 and 294 × 293 so, again we obtain a sharing with length 2. Table 2 (right columns) gives the results. Recall that one can’t find a sharing with 3 shares for cubic functions outside the alternating group. Thus, 4 shares will be required in this case. Using direct sharing with 4 shares we obtain slightly better results for the quadratic S-boxes compared to 3 shares since we were able to share also class Q4300 (and therefore Q33 too). The sharing of class Q4300 has 4 , C4 4 further improved the sharings of C130 131 and C24 which have sharing with shorter length for 4 shares than for 3 shares. We have also found 4 and C 4 sharings with 4 shares for the cubic classes C14 , C34 , C13 301 from S16 \ A16 using direct sharing. By using Lemma 7 we obtain sharings with 4 shares for all 4 × 4 S-boxes. Observe that the total length of the 4 and C 4 ) and also on sharing depends on the class we use (C14 , C34 , C13 301 the class from the alternating group, which is used for the decomposition. For example, class C74 can be decomposed using C14 with length 4 but with 4 it can be decomposed with length 3. Note also that the classes C34 and C13 number of solutions differ. We have found 10, 31 and 49 solutions when 4 classes, correspondingly. Surprisingly for the classes using C14 , C34 and C13 in the alternating group we have only slight improvement with 4 shares compared to 3 shares and only a few classes in S16 \ A16 have direct sharing with 4 shares. However with 5 shares all classes can be shared directly without decomposition which is a big improvement compare to the situation with 4 shares. Table 2: Overview of the numbers of classes of 4 × 4 S-boxes that can be decomposed and shared using 3 shares, 4 shares and 5 shares. The numbers are split up according to the decomposition length of the Sboxes (1, 2, 3, or 4), respectively their shares. unshared 3 shares 1 2 3 1 2 3 4 6 5 1 30 28 2 114 113 1 – – 4 shares 5 shares remark 1 2 3 1 6 6 quadratics 30 30 cubics in A16 114 114 cubics in A16 4 22 125 151 cubics in S16 \A16 An open question is why for all S-boxes the sharing with 4 shares does not improve significantly the results compared to 3 shares and suddenly with 5 shares we can share all classes with length 1. Recall that for the Present S-box, decompositions S(x) = F (G(x)) have been found in [25]. The authors also made an observation that exactly 73 sharings out of the decompositions automatically satisfy the uniformity condition (i.e. without any correction terms). Recall that with the direct sharing method without CT we (as well as the authors of [25]) were able to share only 3 quadratic classes: Q44 , Q4294 and Q4299 . The Present 4 and has 7 simple solutions (see Table 12) but only S-box belongs to C266 3 of them can be shared namely 294 × 299, 299 × 294, 299 × 299, which explains the authors’ observation. In Tables 7–10, the column Sharing describes the length of the found sharings with 3 and with 4 shares, separated by a comma. Since all classes can be shared with 5 shares with length 1 we omit this fact in these tables. Recall that for the S-boxes in S16 \ A16 no solution with 3 shares exist which is indicated in the table by a −. Note that the DES 6 × 4 S-boxes can be considered as an affine 2 × 2 selection S-box with four 4 × 4 Sboxes attached. Since we have sharings for both 2 × 2 and 4 × 4 S-boxes we conclude that we have sharings for the DES 6 × 4 S-boxes as well. 5 HW implementation of the sharings In this section, our aim is to provide a fair comparison and prediction what the cost (ratio of area to a NAND gate referred to as GE) will be for a protected S-box in a specified library. For our investigations we used the TSMC 0.18µm standard cell library in the Synopsis development tool. Quadratic classes and cubic classes with length 1 form the basis to all our implementations. Therefore, we concentrated our efforts on these classes. While considering 3 × 3 S-boxes we synthesized 840 affine equivalent S-boxes for each class. However the number of S-boxes in a class increases to more than 322560 as we move to 4 × 4 S-boxes. In that case, we choose 1000 S-boxes per class to synthesize. Table 3: S8 : Quadratic S-boxes sharing 3×3 S-boxes Sharing Original Unshared Shared Length S-box Decomposed 3 shares Class # in S8 (L) L reg L reg Min 27.66 98.66 3 Q1 1 Max 29.66 121.66 Min 29.00 116.66 Q32 1 Max 29.66 155.00 Min 30.00 50.00 194.33 3 Q3 2 Max 32.00 51.00 201.00 Shared 4 shares 1 reg 138.00 150.00 174.00 226.66 140.00 194.33 Shared 5 shares 1 reg 148.00 185.66 180.00 220.33 167.00 228.66 In tables 3, 4 and 5 we show the implementation results for each class only the S-box with the minimum GE from the result of our original Sbox synthesis (over the class), as well as the S-box with the maximum GE. However, note that the Min and Max values should only be taken as indications. The area results listed in the column original S-box for an n × n S-box include one n-bit register. If a decomposition is necessary for a correct, non-complete and uniform sharing, then we included registers in between Table 4: A16 : Quadratic S-boxes sharing 4×4 S-boxes Sharing Original Unshared Shared Quadratic Length S-box Decomposed 3 shares Class # in S16 (L) L reg L reg Min 37.33 121.33 4 Q4 1 Max 44.00 223.33 Min 36.66 139.33 Q412 1 Max 48.00 253.33 Min 39.33 165.33 4 Q293 1 Max 48.66 297.33 Min 40.00 141.33 4 Q294 1 Max 49.66 261.00 Min 40.33 174.33 4 Q299 1 Max 48.00 298.00 Min 33.66 58.00 207.33 4 Q300 2 Max 52.66 70.00 346.00 Shared 4 shares 1 reg 168.33 258.00 204.00 290.33 194.33 313.00 170.33 240.00 211.00 295.33 209.66 295.00 Shared 5 shares 1 reg 186.33 309.00 218.00 340.66 235.00 358.33 210.33 255.00 247.00 294.66 249.33 342.33 every pipelining operation as required [22] which increases the cost as expected. For classes with decomposition length more than 1, we randomly choose a class representative i.e. an S-box. Then we implement the smallest amongst all possible decompositions of this S-box, namely the one 4 , C4 , C4 , which gives minimum GE. We saw that, classes Q33 , Q4300 , C150 151 130 4 , C4 , C4 , C4 4 C131 24 204 257 and C210 give relatively small results when implemented as 2 × 1, 12 × 4, 12 × 293, 293 × 12, 12 × 4 × 299, 299 × 12 × 4, 299 × 12 × 4 × 299, 3 × 294, 3 × 12 and 3 × 293 × 12 respectively. The 4 and C 4 differ significantly. Closer inspection reveals area figures for C204 257 that this is due to the fact that their decompositions use different S-boxes 4 from C34 ; the S-box used in the decomposition of C204 is smaller than the 4 one in the decomposition of C257 . 6 Extensions We present here two extensions to the basic approach. 6.1 Virtual variables and virtual shares For some Boolean functions with two inputs there is no sharing with 3 shares satisfying the three requirements [19, 21]. For example, this is the case with the multiplication of two variables. On the other hand, Table 5: S16 : Cubic S-boxes sharing 4×4 S-boxes Sharing Original Unshared Shared Cubic Length S-box Decomposed 3 shares Class # in S16 (L, L0 ) L’ reg L reg 4 C1 ∈ S16 \ A16 Min 39.66 – 1,1 Max 40.33 – C34 ∈ S16 \ A16 Min 40.33 – 1,1 Max 43.00 – 4 C13 ∈ S16 \ A16 Min 40.33 – 1,1 Max 41.33 – 4 C301 ∈ S16 \ A16 Min 39.33 – 1,1 Max 59.33 – 4 C150 ∈ A16 2,2 46.33 71.66 305.33 4 C151 ∈ A16 2,2 47.33 69.66 286.00 4 C130 ∈ A16 3,2 48.00 97.33 393.00 4 C131 ∈ A16 3,2 50.00 99.00 386.00 4 C24 ∈ A16 4,3 48.33 151.33 674.00 4 C204 ∈ S16 \ A16 2,2 49.00 80.33 4 C257 ∈ S16 \ A16 2,2 47.66 73.66 4 C210 ∈ S16 \ A16 3,3 47.66 119.33 - Shared 4 shares L’ reg 213.66 378.00 230.33 413.66 260.00 423.00 289.33 526.33 430.66 410.00 375.66 363.33 616.66 413.00 486.00 602.00 Shared 5 shares 1 reg 273.66 464.66 286.33 500.66 319.00 502.66 350.33 605.66 414.33 390.00 442.66 435.66 734.66 501.33 594.00 695.33 sharings with 3 shares do exist for all quadratic Boolean functions with 3 inputs. This fact leads to an approach where we define extra input variables, virtual variables for the function that we want to find a sharing for. A virtual variable is hence an additional input to the function, whose value doesn’t influence the output of the function. In the implementation however, it must be ensured that the attacker can’t predict the value of the virtual variable: it has to be random. Hence, the approach requires additional randomness as input. For example, assume that we want to construct a sharing for the function F (x, y) = xy. By adding a virtual variable z, we can share F (x, y, z) = xy as follows [21]: F1 = x2 y2 + x2 y3 + x3 y2 + x2 z2 + x3 z3 + y2 z2 + y3 z3 F2 = x3 y3 + x1 y3 + x3 y1 + x3 z3 + x1 z1 + y3 z3 + y1 z1 F3 = x1 y1 + x1 y2 + x2 y1 + x1 z1 + x2 z2 + y1 z1 + y2 z2 . Without virtual variable, we can share the product of two variables if we use 4 shares [19], hence in total 2 × 4 = 8 elements. With virtual variable, we obtain 3 × 3 = 9 elements, which is in fact not an improvement. Since z in the previous example F = xy was a virtual variable, its shares z1 , z2 and z3 can be called virtual shares. Instead of introducing all the 3 virtual shares, we can also introduce fewer of them. Since a virtual share is not related to a ‘real’ input of the function, it doesn’t need to be taken into account when we check the non-completeness of the sharing. The previous example can be shared using only one virtual share: F1 = x2 y2 + x2 y3 + x3 y2 + z F2 = x3 y3 + x1 y3 + x3 y1 + x1 z + y1 z F3 = x1 y1 + x1 y2 + x2 y1 + x1 z + y1 z + z. In this sharing, we use only 7 elements. 6.2 Varying the number of shares Until now we have considered the case when the inputs and the outputs of a function have to be shared with the same number of shares, e.g., s. In fact, it is possible to generalize the approach, such that the inputs are shared with si shares, the outputs (i.e., the function) with so shares providing that si ≥ so holds. We will shortly illustrate this approach by sharing the product xy, such that the input is shared with 4 shares and the output with 3 shares. F1 = (x2 + x3 + x4 )(y2 + y3 ) + y4 F2 = (x1 + x3 )(y1 + y4 ) + x1 y3 + x4 F3 = (x2 + x4 )(y1 + y4 ) + x1 y2 + x4 + y4 . 7 Conclusions In this paper we have considered the threshold implementation method, which is a method to construct implementations of cryptographic functions that are secure against a large class of side-channel attacks, even when the hardware technology is not glitch-free. We have analyzed which basic S-boxes can be securely implemented using 3, 4 or 5 shares. We have constructed sharings for all 3 × 3, 4 × 4 S-boxes and 6 × 4 DES S-boxes. Thus we have extended the threshold implementation method to secure implementations for any cryptographic algorithm which uses these S-boxes. Note that the mixing layer in the round function of a block cipher is a linear operation and thus it is trivially shared even with 2 shares. Finally, we have implemented several of the shared S-boxes in order to investigate the cost of the sharing as well as the additional cost due to the pipelining stages separated by latches or registers. Table 6: Range for the ratio area of the Shared with length L S-box area of the Original S-box 3 shares 4 shares 5 shares remark 1 2 3 4 1 2 3 1 3.6–5.2 6.3–6.5 – – 5.0–7.6 – – 5.4–7.4 quadratics in S8 3.3–6.2 6.2–6.6 – – 4.3–6.4 – – 5.1–7.4 quadratics in S16 – 6.0–6.6 7.7–8.2 13.9 – 7.3–9.3 12.8 8.2–15.2 cubics in A16 – – – – 5.4–10.2 8.4–10.2 12.6 10.2–14.6 cubics in S16 \A16 Our results summarized in Table 6 show that such secure implementation can also be made efficient. Note that we consider the cost of sharing with L registers which is the total price for the sharing (since it includes the sharing logic plus registers). Observe that the increase of the cost for sharing with 3 shares of a quadratic S-box is similar for n = 3 and n = 4. As expected, the longer length a sharing has, the more costly it becomes (for 3 and 4 shares). It can be seen that sharings with 4 and 5 shares cost up to 50% more than sharings with 3 shares. However, there are several cases when using 4 or 5 shares reduces the cost by up to 30%, respectively 10%, compared to 3 shares with longer sharing length. For certain S-boxes using 5 shares may be even beneficial compared to 4 shares (up to 4%) but in general 5 shares are up to 30% more expensive than 4 shares. An obvious conclusion is that the cost of the TI method heavily depends on the class the given S-box belongs to as well as the chosen number of shares and the associated sharing length. Therefore, in order to minimize the implementation cost the number of shares have to be carefully chosen. For all tested S-boxes we were able to find a sharing with cost ranging from 3.3 till 12.8 times the area of the original S-box. However, note that the area numbers are based on a few implementations from each class. The ratios may change significantly if the smallest/biggest S-boxes are found for every class. 8 Acknowledgement We would like to thank Christophe De Cannière for the fruitful discussions and for sharing with us his toolkit for affine equivalent classes. This work has been supported in part by the Research Council K.U.Leuven: GOA TENSE (GOA/11/007) and by the European Commission under contract ICT-2007-216646 (ECRYPT II). References 1. Akkar, M.L., Giraud, C.: “An Implementation of DES and AES, Secure against Some Attacks,” CHES 2001, LNCS 2162, pp. 309–318. 2. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: “Keccak specifications,” NIST SHA3 contest 2008. 3. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: “Building power analysis resistant implementations of Keccak”, Round 3 finalist of the Cryptographic Hash Algorithm Competition of NIST, 2010. 4. Blömer, J., Guajardo, J., Krummel, V.: “Provably Secure Masking of AES,” SAC 2004, LNCS 3357, pp. 69–83. 5. Boura, C., Canteaut, A.: “On the influence of the algebraic degree of F −1 on the algebraic degree of G ◦ F ”, e-print archive 2011/503. 6. Carlet, C.,: “Vectorial Boolean Functions for Cryptography,” to appear. 7. De Cannière, C.: “Analysis and Design of Symmetric Encrytption Algorithms,” Ph.D. thesis, 2007. 8. De Cannière, C., Nikov, V., Nikova, S., Rijmen, V.: “S-box decompositions for SCA-resisting implementations,” poster session of CHES 2011. 9. Daemen, J., Vandewalle, J.: “A New Approach Towards Block Cipher Design,” FSE 1993, LNCS, pp. 18–33. 10. Daemen, J., Peeters, M., Van Assche, G.: “Bitslice Ciphers and Power Analysis Attacks,”, FSE 2000, LNCS, pp. 10–12. 11. Golic, J.D., Tymen, C.: “Multiplicative Masking and Power Analysis of AES,” CHES 2002, LNCS 2523, pp. 198–212. 12. Ishai, Y., Sahai, A., Wagner, D.: “Private Circuits: Securing Hardware against Probing Attacks,” CRYPTO 2003, LNCS 2729, pp. 463–481. 13. Knudsen, L.R., Leander, G., Poschmann, A., Robshaw, M.: “PRINTcipher: A Block Cipher for IC-Printing”, CHES 2010, LNCS 6225, pp. 16–32. 14. Leander, G., Poschmann, A.:“On the classification of 4 bit s-boxes”, WAIFI 2007, LNCS 4547, pp. 159-–176. 15. Lidl, R., Niederreiter, H.: “Finite Fields”, Encyclopedia of Mathematicsand its Applications, vol. 20, Addison-Wesley, 1983. 16. Mangard, S., Pramstaller, N., Oswald, E.: “Successfully Attacking Masked AES Hardware Implementations,” CHES 2005, LNCS 3659, pp. 157–171 17. Moradi, A., Mischke, O., Paar, C., Li, Y., Ohta, K., Sakiyama, K.: “On the Power of Fault Sensitivity Analysis and Collision Side-Channel Attacks in a Combined Setting,” CHES 2011, LNCS 6917, pp. 292–311. 18. Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.:“Pushing the Limits: A Very Compact and a Threshold Implementation of AES”, Eurocrypt 2011, LNCS 6632, pp. 69–88. 19. Nikova, S., Rechberger, C., Rijmen, V.: “Threshold Implementations Against SideChannel Attacks and Glitches,” ICICS 2006, LNCS 4307, pp. 529–545. 20. Nikova, S., Rijmen, V., Schläffer, M.: “Using Normal Bases for Compact Hardware Implementations of the AES S-Box,” SCN 2008, LNCS 5229, pp. 236–245. 21. Nikova, S., Rijmen, V., Schläffer, M.: “Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches,” ICISC 2008, LNCS 5461, pp. 218–234. 22. Nikova, S., Rijmen, V., Schläffer, M.: “Secure Hardware Implementation of Nonlinear Functions in the Presence of Glitches,” J. Cryptology 24 (2), pp. 292–321, 2011. 23. Oswald, E., Mangard, S., Pramstaller, N., Rijmen, V.: “A Side-Channel Analysis Resistant Description of the AES S-Box,” FSE 2005, LNCS 3557, pp. 413–423. 24. Popp, T., Mangard, S.: “Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints,” CHES 2005, LNCS 3659, pp. 172–186 25. Poschmann, A., Moradi, A., Khoo, K., Lim, C.W., Wang, H., Ling, S.: “SideChannel Resistant Crypto for less than 2,300 GE,” J. Cryptology 24 (2), pp. 322– 345, 2011. 26. Rivain, M., Prouff, E.: “Provably Secure Higher-Order Masking of AES,” CHES 2010, LNCS 6225, pp. 413-427, 2010. 27. Prouff, E., Roche, T.: “Higher-Order Glitches Free Implementation of the AES Using Secure Multi-party Computation Protocols,” CHES 2011, LNCS 6917, pp. 63– 78, 2011. 28. Rotman, J.:“ An introduction to the theory of groups,” Graduate texts in mathematics, Springer-Verlag, 1995. 29. Saarinen, M.-J. O.,: “Cryptographic analysis of all 4 × 4-bit s-boxes”, SAC 2011, LNCS 7118, pp. 118–133, 2012. 30. Tiri, K., Verbauwhede, I.: “A Logic Level Design Methodology for a Secure DPA Resistant ASIC or FPGA Implementation,” DATE 2004, IEEE Computer Society, pp. 246–251. 31. Trichina, E., Korkishko, T., Lee, K.H.: “Small Size, Low Power, Side ChannelImmune AES Coprocessor: Design and Synthesis Results,” 4th AES Conference, LNCS 3373, pp. 113–127, 2004. 32. Wernsdorf, R.: “The Round Functions of RIJNDAEL Generate the Alternating Group,” FSE 2002, LNCS 2365, pp. 143–148. A Appendix - Tables Table 7: The 4 classes of 3 × 3 S-boxes Class A30 Q31 Q32 Q33 Truth table Sharing 01234567 1,1 01234576 1,1 01234675 1,1 01243675 2,2 Table 8: The 302 classes of 4 × 4 S-boxes Class A40 C14 C24 C34 Q44 C54 C64 C74 C84 C94 4 C10 4 C11 Q412 4 C13 4 C14 4 C15 4 C16 4 C17 4 C18 4 C19 4 C20 4 C21 4 C22 4 C23 4 C24 4 C25 4 C26 4 C27 4 C28 4 C29 4 C30 4 C31 4 C32 4 C33 4 C34 4 C35 4 C36 4 C37 4 C38 4 C39 4 C40 4 C41 4 C42 4 C43 4 C44 Truth table Sharing Class 4 0123456789ABCDEF 1,1 C45 4 0123456789ABCDFE -,1 C46 4 0123456789ABCEFD 3,3 C47 4 0123456789ABDEFC -,1 C48 4 0123456789ABDCFE 1,1 C49 4 0123456789ACDBFE -,2 C50 4 0123456789ACBDFE 3,3 C51 4 0123456789ACBEFD -,3 C52 4 0123456789ACDEFB 3,3 C53 4 0123456789ACDEBF -,3 C54 4 0123456789BCAEFD 3,3 C55 4 0123456789BCEFDA -,2 C56 4 0123456789CDEFAB 1,1 C57 4 0123456789CDEFBA -,1 C58 4 0123456879CDEFBA 3,3 C59 4 012345687A9CBEFD -,3 C60 4 012345687A9CDFBE 3,3 C61 4 0123456879CDEFAB -,2 C62 4 0123456879ACDBFE 3,3 C63 4 0123456879ACDFBE -,3 C64 4 0123456879ACDEBF 3,3 C65 4 0123456879ACBDFE -,3 C66 4 0123456879ACFEDB 3,3 C67 4 0123456879BCEFAD -,3 C68 4 012345687A9CFBDE 4,3 C69 4 0123456879ABCEFD -,3 C70 4 0123456879BCDEFA 3,3 C71 4 012345687ABCDEF9 -,3 C72 4 0123456879BCEAFD 3,3 C73 4 012345687ABCEFD9 -,3 C74 4 012345687ABCE9FD -,3 C75 4 0123456879ACBEFD 3,3 C76 4 0123456879ACFBDE -,3 C77 4 0123456879BCEFDA 3,3 C78 4 0123456879BCFEAD 3,3 C79 4 0123456879CEAFDB -,3 C80 4 0123456879CEAFBD 3,3 C81 4 0123456879ACDEFB -,3 C82 4 0123456879ABDEFC 3,3 C83 4 012345768A9CBEFD -.3 C84 4 012345768A9CBFDE -,2 C85 4 012345768A9CBFED 3,3 C86 4 012345786ACBED9F -,3 C87 4 012345786ABCF9DE 3,3 C88 4 012345786AC9BFED 3,3 C89 Truth table Sharing Class 4 012345786A9CFBDE -,3 C90 4 012345786ABCDEF9 3,3 C91 4 012345786AC9DEBF -,3 C92 4 012345786AC9EDFB -,3 C93 4 012345786A9CDEBF 3,3 C94 4 012345786A9CFDBE 3,3 C95 4 012345786ABCDE9F -,3 C96 4 012345786ACBDE9F 3,3 C97 4 012345786ACBDFE9 3,3 C98 4 012345786A9BCEFD -,2 C99 4 012345786AB9CFDE 3,3 C100 4 012345786AC9BFDE -,3 C101 4 012345786A9CBEFD 3,3 C102 4 012345786ACFDE9B -,3 C103 4 012345786ACEDFB9 -,2 C104 4 012345786ACFB9DE 3,3 C105 4 012345786ACFDEB9 3,3 C106 4 012345786A9CBFED -,3 C107 4 012345786AC9DEFB 3,3 C108 4 012345786ABCED9F 3,3 C109 4 012345786A9CFDEB -,3 C110 4 012345786ACB9EFD 3,3 C111 4 012345786ACF9DBE 3,3 C112 4 0123457869ACDFEB -,3 C113 4 0123457869ACDEBF -,3 C114 4 012345786ACBF9ED 3,3 C115 4 012345786ACEBD9F 3,3 C116 4 012345786ACDF9EB -,3 C117 4 012345786ACDF9BE 3,3 C118 4 012345786ACDE9FB 3,3 C119 4 012345786AC9FBED -,3 C120 4 012345786ACEBFD9 3,3 C121 4 012345786A9CEFDB -,3 C122 4 0123457869ACBEDF 3,3 C123 4 0123457869ACBFDE -,3 C124 4 0123457869ACBEFD -,3 C125 4 0123457869ACEFDB 3,3 C126 4 0123457869ACEBDF -,3 C127 4 0123457869ACEBFD 3,3 C128 4 012345786ACF9EBD -,3 C129 4 012345786A9CEBDF 3,3 C130 4 012345786A9CFBED 3,3 C131 4 012345786ACD9EFB -,3 C132 4 012345786ACD9FBE -,2 C133 4 012345786ACD9EBF 3,3 C134 Truth table Sharing 012345786ABCF9ED -,3 012345786ACFBD9E -,3 012345786ABC9EDF 3,3 012345786ABC9EFD -,3 012345786ACED9FB -,3 012345786A9CDFEB 3,3 012345786A9CEDFB 3,3 0123458A6BCEDF97 -,3 0123458A6BCF97ED -,3 0123458A6BC97FDE 3,3 0123458A6B9CF7ED -,3 0123458A6BCFED79 3,3 012345786A9CDBEF -,3 0123458A69C7DFEB 3,3 0123458A69C7FDBE 3,3 0123458A697CBEFD -,3 0123458A697CBFDE -,3 0123458A69CE7FDB 3,3 0123458A6C9FEB7D -,2 0123458A6CB9F7ED -,3 0123458A69CFD7BE 3,3 0123458A69BC7FDE 3,3 0123458A6C7EBFD9 -,3 0123458A6C7FBE9D -,3 012345786ACFBDE9 3,3 012345786ACBE9DF 3,3 0123458A6C9D7FBE -,2 0123458A6C9D7EFB -,3 0123458A6C9FDB7E 3,3 012345786ACB9FED -,3 0123458A6C7EBDF9 3,3 0123458A6C7FBD9E 3,3 0123458A6BCE79FD -,3 0123458A69BCE7DF 3,3 0123458A69CEBDF7 3,3 0123458A69CB7EFD -,3 012345786AC9EDBF 3,3 012345786ABC9FED 3,3 0123458A6B9CDE7F -,2 0123458A6BC7F9ED -,3 0123458A6CBDE79F 3,2 0123458A6CE9BDF7 3,2 0123458A6CBD7E9F -,3 0123458A6C9FBD7E -,3 0123458A69C7DEBF 3,3 Table 9: The 302 classes of 4 × 4 S-boxes Class 4 C135 4 C136 4 C137 4 C138 4 C139 4 C140 4 C141 4 C142 4 C143 4 C144 4 C145 4 C146 4 C147 4 C148 4 C149 4 C150 4 C151 4 C152 4 C153 4 C154 4 C155 4 C156 4 C157 4 C158 4 C159 4 C160 4 C161 4 C162 4 C163 4 C164 4 C165 4 C166 4 C167 4 C168 4 C169 4 C170 4 C171 4 C172 4 C173 4 C174 4 C175 4 C176 4 C177 4 C178 4 C179 Truth table Sharing Class 4 0123458A69CDE7FB -,3 C180 4 0123458A69C7FBED 3,3 C181 4 0123458967CEAFBD -,3 C182 4 0123458967CEAFDB 3,3 C183 4 0123456879BCAEFD -,3 C184 4 012345687ABC9FDE 3,3 C185 4 0123458967CEBFDA -,3 C186 4 012345786ACD9FEB 3,3 C187 4 0123458A69CFB7DE -,3 C188 4 0123458A69CFDEB7 -,3 C189 4 0123458A69BCF7ED 3,3 C190 4 0123458A69CB7FDE -,3 C191 4 012345786ABCFDE9 3,3 C192 4 012345786ABCE9FD 3,3 C193 4 012345786ABCFD9E -,3 C194 4 0123458A6BCFDE97 2,2 C195 4 0123458A6BCF97DE 2,2 C196 4 0123458A6BCF7E9D -,3 C197 4 0123458A6B9CEDF7 -,3 C198 4 0123467859CFBEAD 3,3 C199 4 0123467859CFEBDA 3,3 C200 4 0123458A69CFE7BD -,3 C201 4 0123458A69CEFB7D -,3 C202 4 0123458A6BCF7D9E 2,2 C203 4 0123458A6BCED79F 2,2 C204 4 0123468B59CED7AF -,3 C205 4 0123458A6B7CEDF9 3,3 C206 4 0123458A6B7CDFE9 3,3 C207 4 0123468C59BDE7AF -,3 C208 4 0123458A6B7C9FDE 3,3 C209 4 0123458A6B7C9EFD 3,3 C210 4 012345896ABCE7DF -,2 C211 4 0123458A67BC9EFD -,3 C212 4 0123458A6CBFE7D9 2,2 C213 4 012345786ACFB9ED -,3 C214 4 012345786ACEB9DF -,2 C215 4 0123458A6CBF7E9D 2,2 C216 4 0123458A6C9DBF7E 2,2 C217 4 012345786A9CBDFE -,3 C218 4 0123458A69CF7EBD 3,3 C219 4 012345786ACDE9BF -,3 C220 4 0123457869ACFEBD 3,3 C221 4 0123457869BCEAFD -,3 C222 4 0123458A6C7DBFE9 3,3 C223 4 012345786A9CEDBF -,3 C224 Truth table Sharing Class 4 0123458A6C9D7FEB 3,3 C225 4 012345896ABC7FDE -,3 C226 4 0123458A67BC9FDE -,3 C227 4 012345896ACF7BED 3,3 C228 4 0123458A67CF9BED 3,3 C229 4 012345896ACE7BFD -,3 C230 4 0123458A67CF9BDE -,3 C231 4 012345786ACEFB9D 3,3 C232 4 012345786ACFEB9D -,3 C233 4 0123457869CEFBDA 3,3 C234 4 0123458A6C7DBEF9 -,3 C235 4 0123458A6C7FB9DE -,3 C236 4 0123458A6C7FBED9 3,3 C237 4 0123458A6C7FDB9E -,3 C238 4 012345786ACFED9B 3,3 C239 4 0123458A6BC7DE9F -,3 C240 4 0123468C59BDEA7F 3,3 C241 4 0123458A6CBDE97F -,3 C242 4 0123458A69C7BEFD 3,3 C243 4 0123458A6BCFD9E7 -,2 C244 4 0123458A6BCFD79E -,3 C245 4 012345786ACB9FDE 3,3 C246 4 012345786ACE9DFB 3,3 C247 4 012345786ACF9BDE -,3 C248 4 012345786ACE9BFD -,2 C249 4 012345786ACDB9EF 3,3 C250 4 012345896ABCEDF7 -,3 C251 4 0123458A67BCEDF9 -,3 C252 4 0123458A69C7BFDE 3,3 C253 4 0123468B59CF7DAE -,3 C254 4 0123468A5BCF7D9E -,3 C255 4 0123458A69CED7FB 3,3 C256 4 0123458A69BC7EFD 3,3 C257 4 012345896ABC7EFD -,2 C258 4 0123458A67CEB9FD 2,2 C259 4 012345896ACEB7FD 2,2 C260 4 0123457869CDEFBA -,2 C261 4 012345687ABC9EFD 3,3 C262 4 0123457869BCDEFA -,3 C263 4 012345786ACF9BED 3,3 C264 4 0123468A59CFDE7B -,3 C265 4 0123457869CEAFDB 3,3 C266 4 0123467859CFEADB -,3 C267 4 0123468A5BCFDE79 2,2 C268 4 0123457869CEBFDA -,3 C269 Truth table Sharing 0123456879CEBFDA 3,3 012345786ABC9FDE -,3 012345786ACFD9BE -,3 0123458A69BCEDF7 3,3 0123458A6C9DBFE7 -,3 0123458A6CEB7FD9 -,3 0123468B59CEDA7F 3,3 0123458A6C9FDBE7 -,3 0123458A67B9CFDE 2,2 012345896AB7CFDE 2,2 0123458A69B7CEFD -,3 0123458A6B97CFDE 2,2 0123458A69B7CFDE -,3 0123457689CEAFBD 2,2 0123457689CEAFDB -,3 012345768A9CDEFB 3,3 012345768A9CDEBF -,2 012345768A9CDFEB -,3 012345768ACF9BDE 2,2 012345768ACE9BFD 2,2 012345768ACF9BED -,3 0123456879BAEFDC -,2 012345687AB9DEFC 3,3 0123456879CEFBDA -,2 0123458A69CFEB7D 3,3 0123458A69CD7FEB -,3 0123458A69CEF7DB -,3 0123458A69CEFBD7 2,2 0123458A69CE7FBD -,3 0123458A69BCFD7E 3,3 012345786ABCEDF9 -,3 012345896ACF7BDE -,3 012345896ABCFD7E -,2 012345896ACE7BDF 2,2 012345896ACEFDB7 2,2 012345896AB7CEFD 2,2 0123458A69CEB7FD -,3 0123458A6C7DB9FE 2,2 0123458A6BC7EDF9 -,3 0123458A6C7DFEB9 2,2 0123458A6BCDE9F7 -,3 0123468A5BCFED97 2,2 012345786ABCE9DF -,3 0123458A69CFBED7 3,3 0123458A69CEBFD7 -,3 Table 10: The 302 classes of 4 × 4 S-boxes Class 4 C270 4 C271 4 C272 4 C273 4 C274 4 C275 4 C276 4 C277 4 C278 4 C279 4 C280 Truth table Sharing Class 4 0123468B5C9DEA7F 3,3 C281 4 0123468B5C9DAFE7 -,3 C282 4 0123468B5CD79FAE -,3 C283 4 0123458A6C7FEB9D 3,3 C284 4 0123458A6BCED97F -,3 C285 4 0123458A6CF7BE9D 3,3 C286 4 0123458A6CF7BD9E -,3 C287 4 0123458A6BC9DE7F 3,3 C288 4 0123468B5CD7AF9E 3,3 C289 4 0123458A6BC7DFE9 -,3 C290 4 0123457869ACEDBF 3,3 C291 Truth table Sharing Class 4 0123457869ACFBDE 3,3 C292 0123468B5CD7F9EA -,3 Q4293 0123468B5C9DE7AF -,3 Q4294 4 0123458A6BCF9D7E -,3 C295 4 0123457869CEAFBD -,2 C296 4 0123458967CEFBDA 2,2 C297 4 012345768A9CDFBE 3,3 C298 0123456789CEFBDA 2,2 Q4299 0123456789CEBFDA -,3 Q4300 4 0123456789BCEAFD -,3 C301 012345768A9BCFED -,3 Truth table Sharing 012345768A9BCEFD 2,2 0123457689CDEFBA 1,1 0123456789BAEFDC 1,1 0123468C59DFA7BE -,3 0123468A5BCF7E9D 2,2 0123468A5BCF79DE 2,2 012345687ACEB9FD -,2 012345678ACEB9FD 1,1 0123458967CDEFAB 2,1 0123458967CDEFBA -,1 Table 11: Known S-boxes and their classes Class 4 C39 4 C46 4 C59 4 C69 4 C74 4 C80 4 C85 4 C97 4 C108 4 C117 4 C120 4 C137 4 C139 4 C142 4 C145 4 C148 4 C153 4 C154 Cipher DESL Row2, DESL Row3 DES7 Row3 DES7 Row1 DES3 Row1, DES7 Row0 DES6 Row1 DES8 Row2 DES1 Row0, DES1 Row1, DES1 Row2, DES8 Row3 DES8 Row0 Twofish q1 t1 DES2 Row0, DES6 Row3 Twofish q0 t3 DES8 Row1 DES3 Row0, DES5 Row0 Twofish q1 t3 Gost K6 DES5 Row3 Twofish q1 t0 Gost K5 Class 4 C190 4 C197 4 C204 4 C206 4 C208 4 C209 4 C210 4 C220 4 C221 4 C223 4 C229 4 C231 4 C253 4 C254 4 C257 4 C266 4 C267 4 C270 Cipher Twofish q0 t0 Lucifer S1 DES2 Row2, DES3 Row2, DESL Row1 Gost K7 Twofish q0 t1 Serpent4, Serpent5, HB2 S2 Clefia0, Twofish q0 t2, HB1 S0, HB2 S3 DES6 Row0 DES5 Row2 Noekeon, Luffa v1, Piccolo Twofish q1 t2 JH S0, JH S1 Gost K3 DES5 Row1 DES3 Row3 Present, Serpent2, Serpent6, Luffa v2, Hamsi Gost K4 Klein, KhazadP, KhazadQ, Iceberg G0, Iceberg G1, Puffin Gost K2 4 4 C160 Serpent3, Serpent7, Clefia2, C275 Clefia3, HB1 S1, HB1 S3, HB2 S0 4 4 C163 Clefia1, HB1 S2, HB2 S1 C279 DES2 Row3, DES4 Row0, DES4 Row1, DES4 Row2, DES4 Row3, DES7 Row2 4 4 C166 DES2 Row1, DESL Row0 C281 DES6 Row2 4 4 C172 Gost K1 C282 Inversion in GF (24 ), mCrypton S0,S1,S2,S3 4 4 C177 Gost K8 C296 Serpent1 4 4 C184 DES1 Row3 C297 Serpent0 4 C188 Lucifer S0 Table 12: Quadratic decomposition length 2 Class # in A16 4 C130 4 C131 4 C150 4 C151 4 C158 4 C159 4 C168 4 C171 4 C172 4 C214 4 C215 4 C223 4 C233 4 C234 4 C236 4 C238 4 C243 4 C244 4 C252 4 C258 4 C259 4 C260 4 C262 4 C264 4 C266 4 C286 4 C288 4 C292 4 C296 4 C297 Quadratic Decomposition length 2: # simple quadratic × quadratic solutions 300 × 299 1 299 × 300 1 12 × 293, 293 × 300, 300 × 12, 300 × 300 4 12 × 300, 293 × 12, 300 × 293, 300 × 300 4 299 × 293 1 293 × 299 1 12 × 300, 293 × 293, 300 × 12, 300 × 300 4 293 × 12, 293 × 300, 294 × 293, 294 × 300 4 12 × 293, 293 × 294, 300 × 293, 300 × 294 4 4 × 299, 12 × 12, 12 × 294, 12 × 299, 293 × 4, 293 × 12, 293 × 294, 293 × 299, 294 × 12, 294 × 294, 294 × 299, 300 × 4, 300 × 12, 300 × 294, 300 × 299 15 4 × 293, 4 × 300, 12 × 12, 12 × 293, 12 × 294, 12 × 300, 294 × 12, 294 × 293, 294 × 294, 294 × 300, 299 × 4, 299 × 12, 299 × 293, 299 × 294, 299 × 300 15 12 × 293, 293 × 293, 293 × 294, 294 × 293, 294 × 294, 299 × 12, 299 × 299 7 12 × 12, 293 × 293, 293 × 300, 294 × 12, 294 × 300, 299 × 12, 300 × 293, 300 × 300 8 12 × 12, 12 × 294, 12 × 299, 293 × 293, 293 × 300, 300 × 293, 300 × 294, 300 × 300 8 12 × 12, 293 × 293, 293 × 294, 293 × 300, 294 × 293, 294 × 294, 299 × 299, 300 × 293, 300 × 300 9 12 × 300, 293 × 293, 300 × 12, 300 × 300 4 4 × 293, 4 × 294, 12 × 4, 12 × 293, 12 × 294, 12 × 299, 293 × 12, 293 × 294, 294 × 4, 294 × 12, 294 × 293, 294 × 294, 299 × 4, 299 × 293, 299 × 294, 300 × 12, 300 × 294, 300 × 299 18 4 × 12, 4 × 294, 4 × 299, 12 × 293, 12 × 294, 12 × 300, 293 × 4, 293 × 12, 293 × 294, 293 × 300, 294 × 4, 294 × 12, 294 × 293, 294 × 294, 294 × 299, 294 × 300, 299 × 12, 299 × 300 18 299 × 300, 300 × 299 2 4 × 12, 4 × 300, 12 × 4, 12 × 12, 12 × 293, 12 × 294, 12 × 299, 12 × 300, 293 × 12, 293 × 294, 293 × 299, 294 × 12, 294 × 293, 294 × 299, 294 × 300, 299 × 12, 299 × 293, 299 × 294, 299 × 300, 300 × 4, 300 × 12, 300 × 294, 300 × 299 23 4 × 12, 4 × 300, 12 × 12, 12 × 293, 12 × 294, 12 × 299, 12 × 300, 293 × 4, 293 × 12, 293 × 294, 293 × 299, 294 × 4, 294 × 12, 294 × 293, 294 × 294, 294 × 300, 299 × 12, 299 × 293, 299 × 294, 299 × 300, 300 × 12, 300 × 294, 300 × 299 23 4 × 293, 4 × 294, 12 × 4, 12 × 12, 12 × 293, 12 × 294, 12 × 299, 12 × 300, 293 × 12, 293 × 294, 293 × 299, 294 × 12, 294 × 293, 294 × 294, 294 × 299, 294 × 299, 299 × 12, 299 × 293, 299 × 300, 300 × 4, 300 × 12, 300 × 294, 300 × 299 23 12 × 299, 294 × 299, 299 × 12, 299 × 294 4 12 × 294, 293 × 293, 293 × 300, 294 × 12, 294 × 300, 299 × 299, 300 × 293, 300 × 294 8 12 × 12, 293 × 300, 294 × 299, 299 × 294, 299 × 299, 300 × 293, 300 × 300 7 12 × 293, 12 × 300, 293 × 12, 293 × 300, 300 × 12, 300 × 293, 300 × 300 7 12 × 12, 293 × 300, 300 × 293, 300 × 300 4 4 × 4, 4 × 12, 4 × 294, 12 × 4, 12 × 12, 12 × 293, 12 × 294, 12 × 300, 293 × 12, 293 × 294, 293 × 299, 294 × 4, 294 × 12, 294 × 293, 294 × 294, 294 × 299, 294 × 300, 299 × 293, 299 × 294, 299 × 300, 300 × 12, 300 × 294, 300 × 299 23 12 × 299, 293 × 293, 293 × 300, 294 × 12, 294 × 300, 299 × 294, 299 × 299 7 12 × 294, 293 × 293, 294 × 299, 299 × 12, 299 × 299, 300 × 293, 300 × 294 7

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising