Abstract
In this paper, we introduce a new lightweight 64-bit block cipher PIPO (PIPO stands for “Plug-In” and “Plug-Out”, representing its use in side-channel protected and unprotected environments, respectively.) supporting a 128 or 256-bit key. It is a byte-oriented and bitsliced cipher that offers excellent performance in 8-bit AVR software implementations. In particular, PIPO allows for efficient higher-order masking implementations, since it uses a minimal number of nonlinear operations. Our implementations demonstrate that PIPO outperforms existing block ciphers (for the same block and key lengths) in both side-channel protected and unprotected environments, on an 8-bit AVR. Furthermore, PIPO records competitive round-based hardware implementations.
For the nonlinear layer of PIPO, we have developed a new lightweight 8-bit S-box that provides an efficient bitsliced implementation including only 11 nonlinear bitwise operations. Furthermore, its differential and linear branch numbers are both 3. This characteristic enables PIPO to thwart differential and linear attacks with fewer rounds. The security of PIPO has been scrutinized with regards to state-of-the-art cryptanalysis.
This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No. 2017-0-00520, Development of SCR-Friendly Symmetric Key Cryptosystem and Its Application Modes).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For a higher resistance against DC and LC, swapping bits is additionally conducted in the \(S_8\) design (refer to section 3.2).
References
Adomnicai, A., et al.: Lilliput-AE: a new lightweight tweakable block cipher for authenticated encryption with associated data. Submission to the NIST Lightweight Cryptography Standardization Process (2019)
Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçın, T.: Block ciphers – focus on the linear layer (feat. PRIDE). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 57–76. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_4
Aoki, K., Sasaki, Yu.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_7
Atmel Corporation, ATmega128(L) Datasheet. www.microchip.com/wwwproducts/en/ATmega128. Accessed 23 Apr 2019
Badel, S., et al.: ARMADILLO: a multi-purpose cryptographic primitive dedicated to hardware. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 398–412. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_27
Barthe, G., Dupressoir, F., Faust, S., Grégoire, B., Standaert, F.-X., Strub, P.-Y.: Parallel implementations of masking schemes and the bounded moment leakage model. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 535–566. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_19
Battistello, A., Coron, J.-S., Prouff, E., Zeitoun, R.: Horizontal side-channel attacks and countermeasures on the ISW masking scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 23–39. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_2
Banik, S., Pandey, S.K., Peyrin, T., Sasaki, Yu., Sim, S.M., Todo, Y.: GIFT: a small present. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 321–345. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_16
Banik, S., et al.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_17
Baysal, A., Şahin, S.: RoadRunneR: a small and fast bitslice block cipher for low cost 8-bit processors. In: Güneysu, T., Leander, G., Moradi, A. (eds.) LightSec 2015. LNCS, vol. 9542, pp. 58–76. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29078-2_4
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The Simon and Speck block ciphers on AVR 8-bit microcontrollers. In: Eisenbarth, T., Öztürk, E. (eds.) LightSec 2014. LNCS, vol. 8898, pp. 3–20. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16363-5_1
Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers, Cryptology ePrint Archive (2013)
Beierle, C., Leander, G., Moradi, A., Rasoolzadeh, S.: CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks. IACR Trans. Symmetric Cryptol. 2019(1), 5–45 (2019)
Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Bilgin, B., De Meyer, L., Duval, S., Levi, I., Standaert, F.X.: Low AND depth and efficient inverses: a guide on s-boxes for low-latency masking. IACR Trans. Symmetric Cryptol. 2020(1), 144–184 (2020)
Belaïd, S., Benhamouda, F., Passelègue, A., Prouff, E., Thillard, A., Vergnaud, D.: Randomness complexity of private circuits for multiplication. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 616–648. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_22
Biham, E.: A fast new DES implementation in software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052352
Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_2
Biham, E., Dunkelman, O., Keller, N.: The rectangle attack — rectangling the serpent. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 340–357. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_21
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_1
Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_41
Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31
Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 252–269. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21702-9_15
Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_14
Collard, B., Standaert, F.-X.: A statistical saturation attack against the block cipher PRESENT. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 195–210. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_13
Dinu, D., Biryukov, A., Großschädl, J., Khovratovich, D., Corre, Y.L., Perrin, L.: FELICS-fair evaluation of lightweight cryptographic systems. In: NIST Workshop on Lightweight Cryptography (2015)
Engels, S., Kavun, E.B., Paar, C., Yalçin, T., Mihajloska, H.: A non-linear/linear instruction set extension for lightweight ciphers. In: IEEE 21st Symposium on Computer Arithmetic, pp. 67–75 (2013)
Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_22
Goudarzi, D., Journault, A., Rivain, M., Standaert, F.-X.: Secure multiplication for bitslice higher-order masking: optimisation and comparison. In: Fan, J., Gierlichs, B. (eds.) COSADE 2018. LNCS, vol. 10815, pp. 3–22. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89641-0_1
Goudarzi, D., Rivain, M.: How fast can higher-order masking be in software? In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 567–597. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_20
Grosso, V., Leurent, G., Standaert, F.-X., Varıcı, K.: LS-designs: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_2
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_22
Hong, D., et al.: HIGHT: a new block cipher suitable for low-resource device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006). https://doi.org/10.1007/11894063_4
Journault, A., Standaert, F.-X.: Very high order masking: efficient implementation and security evaluation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 623–643. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_30
Karpman, P., Grégoire, B.: The littlun s-box and the fly block cipher. In: Lightweight Cryptography Workshop (2016)
Kim, J., Lee, C., Sung, J., Hong, S., Lee, S., Lim, J.: Seven new block cipher structures with provable security against differential cryptanalysis. IEICE Trans. 91-A(10), 3047–3058 (2008)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_12
Leander, G., Minaud, B., Rønjom, S.: A generic approach to invariant subspace attacks: cryptanalysis of Robin, iSCREAM and Zorro. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 254–283. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_11
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33
Matsui, M.: On correlation between the order of S-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053451
Sasaki, Yu., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_8
Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_23
Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74619-5_12
Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack - practical attack on full SCREAM, iSCREAM, and Midori64. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_1
Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_12
Worthman, E.: ChaoLogix: integrated security. Semiconductor Eng. (2015)
Z’aba, M.R., Raddum, H., Henricksen, M., Dawson, E.: Bit-pattern based integral attack. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 363–381. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_23
Zhang, W., Bao, Z., Lin, D., Rijmen, V., Yang, B., Verbauwhede, I.: RECTANGLE: a bit-slice lightweight block cipher suitable for multiple platforms. Sci. China Inf. Sci. 58(12), 1–15 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Test Vectors
The following test vectors are represented in big endian representation.
-
PIPO-64/128
- \(\bullet \):
-
Secret key: 0x6DC416DD_779428D2_7E1D20AD_2E152297
- \(\bullet \):
-
Plaintext: 0x098552F6_1E270026
- \(\bullet \):
-
Ciphertext: 0x6B6B2981_AD5D0327
-
PIPO-64/256
- \(\bullet \):
-
Secret key:0x009A3AA4_76A96DB5_54A71206_26D15633_6DC416DD _779428D2_7E1D20AD_2E152297
- \(\bullet \):
-
Plaintext: 0x098552F6_1E270026
- \(\bullet \):
-
Ciphertext: 0x816DAE6F_B6523889
B Proofs of Proposition and Theorems
1.1 B.1 Proof of Proposition 1
(\(\Rightarrow \))
If \(S_{3}\) or \(S^{1}_{5}\) is non-bijective, there are two different inputs \(X_L||X_R,X_L'||X_R'\) satisfying \((S^{1}_{5}(X_L),S_{3}(X_R))=(S^{1}_{5}(X_L'),S_{3}(X_R'))\). Then, it is easy to see that \(S_8(X_L||X_R)=S_8(X_L'||X_R')\), and thus two conditions i) and ii) should hold. Assume that the \(f_{y}\) in condition iii) is non-bijective for some \(y\in \mathbb {F}^{3}_{2}\). Then there should be two different inputs \(a,a'\) satisfying \(f_{y}(a)=f_{y}(a')\). It induces \(\tau _2'(S^{2}_{5}(y||a))=\tau _2'(S^{2}_{5}(y||a'))\). On the other hand, we can take a pair \(X_{R},X_{R}'\) satisfying \(\tau _3(S^{2}_{5}(y||a))\oplus S_3(X_R)=\tau _3(S^{2}_{5}(y||a'))\oplus S_3(X_R')\), and thus \(C_R=C_R'\). Combining the above two equations yields \(S^{2}_{5}(y||a)\oplus (S_3(X_R)||0^{(2)})=S^{2}_{5}(y||a')\oplus (S_3(X_R')||0^{(2)})\). And, we take a pair \(X_L,X_L'\) satisfying \(S^{1}_{5}(X_{L})=(y\oplus S_{3}(X_R))||a\) and \(S^{1}_{5}(X_{L}')=(y\oplus S_{3}(X_R'))||a'\). Since \(a\ne a'\), we have \(X_L \ne X_L'\) satisfying \(S_8(X_L||X_R)=S_8(X_L'||X_R')\). Therefore, condition iii) should also hold.
(\(\Leftarrow \))
Assume that \(X_L\ne X_L'\) and \(X_R=X_R'\). If \(\tau _3(S^1_5(X_L))\ne \tau _3(S^1_5(X_L'))\), then \(C_L(X_L,X_R)\ne C_L(X_L',X_R')\). Let \(\tau _3(S^1_5(X_L))=\tau _3(S^1_5(X_L'))\). It leads to \(C_L(X_L,X_R)\) \(= C_L(X_L',X_R')\), and \(\tau _2'(S^1_5(X_L))\ne \tau _2'(S^1_5(X_L'))\). Because of condition iii), \(\tau _2(C_R(X_L,\) \(X_R))\ne \tau _2(C_R(X_L',X_R'))\). Assume that \(X_L= X_L'\) and \(X_R\ne X_R'\). Since \(S_3(X_R)\ne S_3(X_R')\), \(C_L(X_L,X_R)\ne C_L(X_L',X_R')\). Assume that \(X_L\ne X_L'\), \(X_R\ne X_R'\). If \(C_L(X_L,X_R)= C_L(X_L',X_R')\), either \(\tau _2'(S^1_5(X_L))\ne \tau _2'(S^1_5(X_L'))\) or \(\tau _2'(S^1_5(X_L))=\tau _2'(S^1_5(X_L'))\). The former case leads to \(\tau _2(C_R(X_L,X_R))\ne \tau _2(C_R(X_L',X_R'))\), and the latter case leads to \(\tau _3'(C_R(X_L,X_R))\ne \tau _3'(C_R(X_L',X_R'))\). Therefore, the 8-bit S-box is bijective. \(\blacksquare \)
1.2 B.2 Proof of Theorem 1
We define the following notation for ease of expression.
\(Y=S^1_5(X_L)\), \(Z=S^1_5(X_L)\oplus (S_3(X_R)||0^{(2)})\), \(A=\tau _2'(Y)=\tau _2'(Z)\), \(Y=Y'||A\), \(Z=Z'||A\).
Then, the expression of the \(C_L\) and \(C_R\) is
\(C_L(X_L,X_R)=\tau _3(Y)\oplus S_3(X_R)=\tau _3(Z)\),
\(C_R(X_L,X_R)=\rho _c(S^2_5(Y\oplus (S_3(X_R)||0^{(2)})))\oplus S_3(X_R)=\rho _c(Z)\oplus S_3(X_R)\).
For convenience, we do not write 0 paddings on MSBs of smaller-bit data operating with larger-bit data; here, the 5-bit operand \(S_3(X_{R})\) represents \(0^{(2)}||S_3(X_{R})\).
: It happens if and only if there exists at least one \((X_{L},X_{R})\) satisfying both \(C_{L}(X_{L},X_{R})\oplus C_{L}(X_{L},X_{R}\oplus \varDelta a)=\varDelta 0\) and \(C_{R}(X_{L},X_{R})\oplus C_{R}(X_{L},X_{R}\oplus \varDelta a)=\varDelta c\). The first equation is expressed as
Since \(S_{3}\) is bijective, the \((0^{(5)}||\varDelta a,0^{(3)}||\varDelta c)\) case dose not happen.
: It happens if and only if there exists at least one \((X_L,X_R)\) satisfying both \(C_{L}(X_L,X_R)\oplus C_{L}(X_L,X_R\oplus \varDelta a)=\varDelta d\) and \(C_{R}(X_L,X_R)\oplus C_{R}(X_L,X_R\oplus \varDelta a)=\varDelta 0\). The first equation is expressed as
Similarly, the second equation \(C_{R}(X_L,X_R)\oplus C_{R}(X_L,X_R\oplus \varDelta a)=\varDelta 0\) is expressed as
By applying \(\rho _c^{-1}\), we have
By applying Z, we obtain
Since the function \((X_L,X_R)\mapsto (Z,X_R)\) is bijective, the \((0^{(5)}||\varDelta a,\varDelta d||0^{(5)})\) case does not happen if and only if there is no \((Z,X_R)\) satisfying both Eqs. (1) and (2), which is equivalent to condition i) where \(\varDelta \alpha =\varDelta a\), \(\varDelta \beta =\varDelta d\).
: It happens if and only if there exists at least one \((X_L,X_R)\) satisfying both \(C_{L}(X_L,X_R)\oplus C_{L}(X_L\oplus \varDelta b,X_R)=\varDelta 0\) and \(C_{R}(X_L,X_R)\oplus C_{R}(X_L\oplus \varDelta b,X_R)=\varDelta c\). The first equation is expressed as
Since \(S^{1}_{5}\) is bijective, for a non-zero difference \(\varDelta \omega \in \mathbb {F}^{2}_{2}\), the above equation becomes
The equation is rewritten as
By applying \((S^1_5)^{-1}\), we obtain
By using the variables \(Y,Y'\) and A, we have
And the second equation \(C_{R}(X_L,X_R)\oplus C_{R}(X_L\oplus \varDelta b,X_R)=\varDelta c\) is expressed as
By applying \(\rho _c^{-1}\), we obtain
This gives the equation
For each A, the above Eqs. (3) and (4) are equivalent to
Here, \(\varDelta \omega \) is arbitrary nonzero 2-bit difference, and thus we can define \(B=A\oplus \varDelta \omega \) i.e., \(B\ne A\). Since the function \((X_L,X_R)\mapsto (Y',A,Z')\) is bijective, the \((\varDelta b||0^{(3)},0^{(3)}||\varDelta c)\) case does not happen if and only if there is no \((Y',A,Z')\) satisfying both Eqs. (5) and (6) for all \(B(\ne A)\), which is equivalent to condition ii) where \(\varDelta \alpha =\varDelta b\), \(\varDelta \beta =\rho ^{-1}_c(\varDelta c)\).
: It happens if and only if there exists at least one \((X_L,X_R)\) satisfying both \(C_{L}(X_L,X_R)\oplus C_{L}(X_L\oplus \varDelta b,X_R)=\varDelta d\) and \(C_{R}(X_L,X_R)\oplus C_{R}(X_L\oplus \varDelta b,X_R)=\varDelta 0\). The first equation is expressed as
For a difference \(\varDelta \omega \in \mathbb {F}^{2}_{2}\), the above equation becomes
As in Eq. (3), we obtain
And the second equation is expressed as
Clearly,
It becomes
For each A, the above Eqs. (7) and (8) are equivalent to
Similarly to the case above, we define \(B=A\oplus \varDelta \omega \). In this time, B can be either A or not, since \(\varDelta \omega \) can be a zero difference. The \((\varDelta b||0^{(3)},\varDelta d||0^{(5)})\) case does not happen if and only if there is no \((Y',A,Z')\) satisfying both Eqs. (9) and (10) for all B, which is equivalent to condition iii) where \(\varDelta \alpha =\varDelta d\), \(\varDelta \beta =\varDelta b\).\(\blacksquare \)
1.3 B.3 Proof of Theorem 2
We use \(Y,Y',Z,Z'\), and A defined in proof B.2.
: This case is expressed as \(X_{R}\bullet \lambda _a=C_{R}(X_{L},X_{R})\bullet \lambda _c\). It follows \(X_{R}\bullet \lambda _a=(\rho _c(S^{2}_{5}(S^{1}_{5}(X_{L})\oplus (S_{3}(X_{R})||0^{(2)})))\oplus S_{3}(X_{R}))\bullet \lambda _c\). By applying the variable Z, the equation becomes \(X_R\bullet \lambda _a\oplus S_{3}(X_{R})\bullet \lambda _c = \rho _c(S^{2}_{5}(Z))\bullet \lambda _c\). Note that the function \((X_{L},X_{R})\mapsto (Z,X_R)\) is bijective. Suppose \(\tau _2(\lambda _c)\ne 0\). Then, the equation becomes \(X_R\bullet \lambda _a=\rho _c(S^{2}_{5}(Z))\bullet \lambda _c\). This should have zero bias because the equation \(X_R\bullet \lambda _a=0\) has zero bias, and Z and \(X_R\) are independent variables. Now, suppose \(\tau _2(\lambda _c)=0\). The equation \(X_R\bullet \lambda _a\oplus S_{3}(X_{R})\bullet \lambda _c = \rho _c(S^{2}_{5}(Z))\bullet \lambda _c\) has zero bias if and only if at least one of the entries \((\lambda _a,\tau _3'(\lambda _c))\) in LAT of \(S_3\) and \((0,\tau _3'(\lambda _c)||0^{(2)})\) in LAT of \(S_5^2\) is zero. This is due to the fact that Z is independent of \(X_R\). It is equivalent to condition i)
: This case is expressed as \(X_{R}\bullet \lambda _a=C_{L}(X_{L},X_{R})\bullet \lambda _d\). It follows \(X_{R}\bullet \lambda _a=(\tau _3(S^{1}_{5}(X_{L}))\oplus S_{3}(X_{R}))\bullet \lambda _d\). The equation becomes \(X_R\bullet \lambda _a = \tau _3(Z)\bullet \lambda _d\) by using the definition of Z. So, this case has zero bias, because \(\tau _3(Z)\) is independent of \(X_R\).
: This case is expressed as \(X_{L}\bullet \lambda _b=C_{R}(X_{L},X_{R})\bullet \lambda _c\). It follows \(X_{L}\bullet \lambda _b=(\rho _c(S^{2}_{5}(S^{1}_{5}(X_{L})\oplus (S_{3}(X_{R})||0^{(2)})))\oplus S_{3}(X_{R}))\bullet \lambda _c\). We can replace the equation to
where \(\lambda _t=\tau _3'(\lambda _c)||0^{(2)}\) (here, \(0^{(2)}\) can be replaced by 01, 10 or \(1^{(2)}\)). By applying the variables of Y and Z, this becomes equivalent to the following equations
For all \(A\in \mathbb {F}^2_2\), we have
Clearly,
A collection of \((Y',Z')\) that satisfies the above equation is equivalent to
Then the number of the above set is \((4+a_A)(4+b_A)+(4-a_A)(4-b_A)=32+2a_Ab_A\), where \(a_A\) and \(b_A\) are the entries of \((\tau _3(\lambda _t),\lambda _b)\) and \((\tau _3(\lambda _t),\rho _c^{-1}(\lambda _c))\) in LAT of \(\mathfrak {F}_A^1\) and \(\mathfrak {F}_A^2\), respectively. The above equation has zero bias if and only if
It leads to \(\sum _{A\in \mathbb {F}_2^2} a_Ab_A=0\). Because \(\tau _3(\lambda _t)=\tau _3'(\lambda _c)\), it is equivalent to condition ii) (when \(\tau _3'(\lambda _c)\ne 0\)) and condition iii) (when \(\tau _3'(\lambda _c)=0\)).
: This case is expressed as \(X_{L}\bullet \lambda _b=C_{L}(X_{L},X_{R})\bullet \lambda _d\). It follows \(X_{L}\bullet \lambda _b=(\tau _3(S^{1}_{5}(X_{L}))\oplus S_{3}(X_{R}))\bullet \lambda _d\). The equation becomes \(X_L\bullet \lambda _b = Z'\bullet \lambda _d\) by using the definition of \(Z'\). We note that the function \((X_{L},X_{R})\mapsto (X_L,Z')\) is bijective, and \(X_L\) and \(Z'\) are independent variables. So, this equation has zero bias.\(\blacksquare \)
C 8-bit S-box of PIPO, \(S_8\)
1.1 C.1 Table of the \(S_8\)
Table 7 shows the \(S_{8}\).
1.2 C.2 Bitsliced Implementations of the \(S_8\) and Its Inverse
Listing 1.2 is the bitsliced implementation of the \(S_8\).Footnote 1 The bitsliced implementation of the inverse \(S_8\) cannot be obtained by reversing the bitsliced implementation of the \(S_8\) because the input bits of \(S_5^2\) are not all given. The Listing 1.3 shows how to implement the inverse \(S_8\) with the given input bits. Since the \(S_8\) applies each column of \(8\times 8\) array of bits depicted in Fig. 1, we can implement the S-layer by replacing bit x[i] with byte X[i] which represents the i-th row value, where \(i=0,1,2,\cdots ,7\).
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Kim, H. et al. (2021). PIPO: A Lightweight Block Cipher with Efficient Higher-Order Masking Software Implementations. In: Hong, D. (eds) Information Security and Cryptology – ICISC 2020. ICISC 2020. Lecture Notes in Computer Science(), vol 12593. Springer, Cham. https://doi.org/10.1007/978-3-030-68890-5_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-68890-5_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-68889-9
Online ISBN: 978-3-030-68890-5
eBook Packages: Computer ScienceComputer Science (R0)